With this document you can:

Print the full document
Save the page as a HTML document to your device
Print the page as a document
Use your browser print option to save the page as a PDF file

This section is not visible in the printed version.

Public Statements

Public statements can be viewed on our website at gamblingcommission.gov.uk/public-register

Generated: 18 May 2025

Football Pools Limited Public Statement

Published: 27 March 2025

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure their gambling facilities are provided in compliance with the Gambling Act 2005 (opens in new tab)(the Act), the conditions of their licence and in accordance with the licensing objectives, which are to:

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

A regulatory review under section 116 of the Act was commenced following a Compliance Assessment (the Assessment) of the remote Operating Licence of Football Pools Limited (the Licensee) (licence number 048272-R-326339-008).

The review found failings in the Licensee’s Anti-Money Laundering / Counter Terrorist Financing (AML/CTF) and Social Responsibility (SR) controls. The failings related to the Licensee’s online betting, as opposed to the non-remote Pool Betting.

The Licensee failed to comply with the following Licence Conditions and Codes of Practice (LCCP) between September 2022 and August 2023:

paragraphs 2 and 3 of Licence Condition (LC) 12.1.1 which requires licensees to ensure they have appropriate policies, procedures and controls to prevent Money Laundering (ML) and Terrorist Financing (TF). The Licensee must also ensure that ML policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission.
paragraphs 1, 4, 5 and 8 of Social Responsibility Code Provision (SRCP) 3.4.3 relating to remote customer interaction.

In line with our Statement of Principles for Licensing and regulation, the Licensee will make a payment in lieu of a financial penalty of £375,000. Details of this are set out under the heading Regulatory Settlement.

The Assessment and subsequent regulatory review found the following:

Breach of Paragraphs 2 and 3 of Licence Condition 12.1.1

LCCP 12.1.1 (2) requires:

"Following completion of and having regard to the risk assessment, and any review of the assessment, Licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing."

LCCP 12.1.1(3) requires:

"Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time."

The Licensee accepted that it breached these licence conditions for the following reasons:

its AML policy was overly reliant on financial triggers to identify when customers present higher ML or TF risks
processes in place at the time of the assessment did not automatically apply hard stops when AML thresholds were reached and were only applied when resulting manual reviews took place. The Licensee did not always consider customer risk in a timely manner; specifically considering whether the risks presented by the customer warranted the application of a hard stop, or whether the risks were perceived to be such that the customer should be prevented from depositing and gambling further until a proper risk assessment was undertaken and a decision made on whether the relationship should continue
manual reviews did not always occur promptly, which meant that hard stops were not put in place in a timely manner, if at all
officials noted that there were incidents of delays in the creation of customer risk profiles, incidents where risk profiles had not been created, and incidents where risk profiles were not completed for a significant period (on average 25 days after the financial trigger was hit).

Failure to comply with paragraphs 1, 4, 5 and 8 of SRCP 3.4.3

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act.

SRCP 3.4.3 paragraph 1 requires:

"Licensees must implement effective customer interaction systems and processes in a way which minimises the risk of customers experiencing harms associated with gambling. These systems and processes must embed the three elements of customer interaction – identify, act and evaluate – and which reflect that customer interaction is an ongoing process as explained in the Commission’s guidance (see paragraph 2)."

The Licensee accepted that it was not fully in compliance with paragraph 1 SRCP 3.4.3, as:

there were examples where customers were not identified for Safer Gambling (SG) interactions due to ineffective internal systems (system) it had in place. The system appeared to overly focus on financial triggers, some of which were set too high. There was no evidence of sufficient evaluation of individual customer interactions and the overall process for interactions. We would have expected the Licensee to have evaluated SG interactions and considered whether additional actions were required within a timely manner
the system was ineffective at providing safer gambling messages to customers who had opted out of marketing, which led to delays in interacting with such customers who were exhibiting markers of potential harm
the financial triggers alone, as detailed within the Licensee’s SG Policy and Customer Interaction policy, were not effective enough in identifying customers potentially at risk of harm. Officials noted examples showing customers who were able to spend prolonged periods gambling and spend at high levels in short periods of time and still not be identified for a SG interaction
a number of SG risk profiles should have been completed at the time of reaching the financial trigger as per SG Policy and Customer Interaction policy. However, the profiles were not created immediately, and in most cases, they were created months after reaching the trigger. There was a large backlog of risk profiles still to be completed due to low staffing levels.

SRCP 3.4.3 paragraph 4 requires:

"Licensees must have in place effective systems and processes to monitor customer activity to identify harm or potential harm associated with gambling, from the point when an account is opened."

The Licensee accepted it was not fully in compliance with paragraph 4 SRCP 3.4.3, as:

the Licensee was reliant on its system to monitor activity and identify harm or potential harm In addition, the process dictated that when a customer reached a financial trigger, they should receive an SG interaction. A number of SG risk profiles were not created by the Licensee immediately after a trigger was hit, in some cases this was not created until two months after the Financial Trigger was hit.

SRCP 3.4.3 paragraph 5 requires:

"Licensees must use a range of indicators relevant to their customer and the nature of the gambling facilities provided in order to identify harm or potential harm associated with gambling."

The Licensee accepted it was not fully in compliance with paragraph 5 SRCP 3.4.3, as:

the Assessment identified that customers gambling at high velocity or placing large bets were not always identified for interaction early enough
the system that was in place at the time was not sensitive enough to identify long periods of gambling as a potential marker of harm.

SRCP 3.4.3 paragraph 8 requires:

"Licensees must take appropriate action in a timely manner when they have identified the risk of harm." 

The Licensee accepted it was not fully in compliance with paragraph 8 SRCP 3.4.3, as:

it did not always take appropriate action in a timely manner when the risk of harm was identified
the Licensee has a range of SG financial triggers in place to identify potential harm in relation to customer spend. Officials found that customers were not always interacted with after reaching these financial triggers. One customer deposited circa £4,100 in two weeks after signing up but was not identified for an SG interaction despite reaching a financial alert.

This regulatory settlement consists of:

a payment of £375,000 in lieu of a financial penalty. The money will be directed to socially responsible purposes
agreement to the publication of a statement of facts in relation to this case
payment towards the Commission’s costs of investigating the case.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the failings were serious and potentially impacted on the licensing objectives
breaches of AML requirements directly imperil the first licensing objective of ‘preventing gambling from being a source of crime or disorder’
breaches of SRCP 3.4.3 directly imperil the third licensing objective of protecting vulnerable persons from being harmed or exploited by gambling
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons learned for the wider industry'.

Mitigating factors

The Licensee:

swiftly put in place an action plan designed to remedy the failings and provided updates
fully co-operated with the investigation and provided information by agreed deadlines.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions and take remedial action where required:

do you have effective processes in place to test and assess whether your policies, procedures and controls are being effectively implemented by staff? Is this recorded and demonstrable?
do you have set turnaround times for manual reviews, actions, processes, etc? Are these routinely met?
are you fully scrutinising all customer information available to you in a timely manner, properly assessing and taking steps to mitigate potential ML/TF and SR risks?
do you act quickly enough when customers display potential markers of harm? Do your procedures specify appropriate timescales for actions and interactions?
if you deviate from your policies and procedures, are you able to justify this and do you fully document those decisions and the rationale?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficiently detailed records of interactions? Does this include decisions not to interact with a customer?

End of public statement

AG Communications Limited Public Statement

Published: 4 March 2025

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

A regulatory review under section 116 of the Act was commenced following a Compliance Assessment of the remote Operating Licence of AG Communications Limited (licence number 039483-R-319409-017).

The review found failings in AG Communications Limited’s Anti-Money Laundering / Counter Terrorist Financing (AML/CTF) and Social Responsibility (SR) controls.

AG Communications Limited failed to comply with the following requirements of the Licence Conditions and Codes of Practice (the LCCP) between May 2023¹ and October 2024².

Paragraph 3 of Licence Condition (LC) 12.1.1 Anti-money laundering
Paragraphs 1, 4, 7,9 and 11 of Social Responsibility Code Provision (SRCP) 3.4.3 relating to remote customer interaction.
SRCP 3.9.1 (1) – Identification of Individual Customers – (Remote)
LC 4.2.1 (1) – Disclosure to Customers
LC 15.2.1 (15) – Reporting Key Events
SRCP 4.2.6 (1) – Display of Rules
SRCP 3.5.3 (1) - Self-exclusion – remote SR code

In line with our Statement of Principles for Licensing and Regulation, AG Communications Limited will make a payment in lieu of a financial penalty of £1,407,834. Details of this are set out under the heading Regulatory Settlement.

A Commission compliance assessment identified failings, and a regulatory review was commenced. During the review the Licensee made an early Regulatory Settlement Proposal (RSP) in which it admitted:

Breach of Licence Condition 12.1.1 (3)

Licence Condition 12.1.1 requires:

We found that, on occasion, AG Communications Limited did not ensure that its policies, procedures and controls were effectively implemented.

Specifically, AG Communications Limited’s failures included:

AML/CTF policies and procedures were too reliant on financial thresholds
when customer accounts that were reviewed hit a medium, medium/high or high ML risk score they were not subject to a manual Enhanced Customer Due Diligence (ECDD) check until a financial trigger was hit
when financial thresholds were reached there were delays in completing ECDD checks. One customer who reached the financial trigger did not have an ECDD review conducted until a week later
not following its policy regarding ECDD checks. One customer who reached a financial threshold but did not have a high AML risk score, did not have a manual ECDD review until eight days later. This was contrary to AG Communications Limited’s policy.

Failure to comply with paragraphs 1, 4, 7, 9 and 11 of SRCP 3.4.3

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act.

SRCP 3.4.3 paragraph 1 requires:

We found that, on occasion, AG Communications Limited had not ensured that its policies, procedures and controls had been effectively implemented.

Specifically, AG Communication Limited’s failures included:

failed to fully and effectively implement its “Responsible Matrix Interactions Protocol” in that, when a customer is identified as “medium high-risk”, a telephone interaction should take place. Not all customers identified as “medium high-risk” received a timely interaction
a backstop daily loss limit figure, designed to protect customers from significant losses, was not working correctly for certain historical account holders due to a system error and allowed affected customers to play through the loss limit
176 customers were identified as being affected by the daily loss limit error. These customers were able to deposit a combined total of £220,334 over the daily loss limit.

SRCP 3.4.3 paragraph 4 requires:

"Licensees must have in place effective systems and processes to monitor customer activity to identify harm or potential harm associated with gambling, from the point when an account is opened"

We found AG Communications Limited:

did not have effective systems in place to prevent customers spending significant amounts of money in a short period of time before an assessment was made as to whether the customer was potentially at risk of gambling related harm. This raised concern that velocity spend was not being identified or acted upon quickly enough.
one customer was able to deposit and lose circa £7,000 in just over four hours in the early hours. This player was able to play through the backstop in place at that time, due to a system error which failed to prevent the customer from depositing above the backstop limit
a manual review of the customer did not identify the fact they had played through the backstop trigger.

SRCP 3.4.3 paragraph 7 requires:

"A Licensee’s systems and processes for customer interaction must flag indicators of risk of harm in a timely manner for manual intervention, and feed into automated processes as required by paragraph 11" (see below).

• the Licensee used automated financial trigger thresholds as a potential indicator of harm, but these were calculated in Euro currency only. This meant players who deposited in other currencies such as Sterling were not always identified in a timely manner for a manual interaction.

SRCP 3.4.3 paragraph 9 requires:

"Licensees must tailor the type of action they take based on the number and level of indicators of harm exhibited. This must include, but not be limited to, systems and processes which deliver:

a. tailored action at lower levels of indicators of harm which seek to minimise future harm
b. Increasing action where earlier stages have not had the impact required
c. strong or stronger action as the immediate next step in cases where that is appropriate, rather than increasing action gradually
d. reducing or preventing marketing or the take-up of new bonus offers where appropriate
e. ending the business relationship where necessary."

AG Communications Limited’s failures included:

not tailoring the type of action, it took based on the number and level of indicators of harm. There was evidence of customers being sent multiple emails, but this did not affect the customers’behaviour in relation to spend and/or nighttime play. The behaviour of customers did not change as a result of being sent multiple emails, but the operator did not increase its action in ways that we would have expected
a customer who was exhibiting potential indicators of harm - playing sessions above three hours, losses of circa £4,500 and staking circa £35,000 in two weeks - was sent two generic Safer Gambling (SG) interaction emails. Although a SG call was made to the customer, the record of this conversation showed it consisted of closed questions and did not address the playing session length, the losses or staking levels
a customer who had previously self-excluded sent a bank statement to the Licensee for proof of address, showing a balance of £75. Multiple financial triggers were hit, and the customer was assessed as high-risk yet was sent SG interaction (pop-ups) which were tailored towards lower levels of risk
AG Communications Limited failed to keep a detailed record of interactions it conducted with a customer identified as high-risk. An on-line chat did take place, but it consisted of closed questions. The customer was able to raise their monthly loss limit from £1,000 to £4,000 with no justification recorded. The Commission would expect the Licensee to conduct meaningful interactions and record in detail the rational for any action.
one customer was sent three emails during the duration of their account, but the emails did not affect the behaviour of the customer with velocity of play continuing to increase, along with night time play and multiple failed deposits.
AG Communications Limited failed to conduct a SG interaction despite a customer losing circa £6,000 in 48 hours. This customer was a student. It is acknowledged that a telephone interaction was attempted but only when the daily loss limit of £5,000 in 24 hours was reached.

SRCP 3.4.3 paragraph 11 requires:

"Licensees must ensure that strong indicators of harm, as defined within the licensee’s process, are acted on in a timely manner by implementing automated processes. Where such auto mated processes are applied, the licensee must manually review their operation in each individual customer’s case and the licensee must allow the customer the opportunity to contest any automated decision which affects them."

AG Communications Limited’s automated process failed a customer who was identified as high-risk, and the manual process was not undertaken until the following day. This meant that despite there being evidence of strong indicators of harm being present, they were not acted on in a timely manner.

"Licensees must have and put into effect policies and procedures designed to identify separate accounts which are held by the same individual."

one customer was able to open a significant number of gambling accounts despite the fact they had previously self-excluded. Another customer, who had previously had an account closed due to suspicious activity, was able to open an account.

Breach of Licence Condition 4.2.1 (1) - Disclosure to customers requires:

"Licensees who hold customer funds must set out clearly in the terms and conditions under which they provide facilities for gambling information about whether customer funds are protected in the event of insolvency, the level of such protection and the method by which this is achieved."

Failures included:

AG Communications Limited’s terms and conditions on the white label site Neptuneplay.com website did not inform customers of the level of protection of funds that the Licensee provided, as detailed in the Commission’s guidance.

Breach of Licence Condition 15.2.1 (15) – Reporting key events requires:

"A key event is an event that could have a significant impact on the nature or structure of a licensee’s business. Licensees must notify the Commission, in such form or manner as the Commission may from time to time specify, of the occurrence of specific key events as soon as reasonably practicable and in any event within five working days of the licensee becoming aware of the events occurrence."

Paragraph 15 details one such event namely:

"The making of a disclosure pursuant to section 330, 331, 332, or 338 of the Proceeds of Crime Act 2002 or section 19, 20, 21, 21ZA, 21ZB or 21A of the Terrorism Act 3000 (a Suspicious Activity Report)(“SAR”): the licensee should inform the Commission of the unique reference number issued by the United Kingdom Financial Intelligence Unit of the National Crime Agency in respect of each disclosure and for the purposes of this key event the five working day period referred to above runs from the licensee’s receipt of the unique reference number. The licensee should also indicate whether the customer relationship has been discontinued at the time of the submission."

Failures included:

AG Communications Limited failed to notify the Commission - as soon as reasonably practicable and in any event within five working days of the submission - of SARs. Instead, it submitted key event notices in batches over a period of several months at a time

Failure to comply with SRCP 4.2.6 (1) – Display of Rules – betting requires:

"Licensees must set out within the full rules that they make available, the core elements for the acceptance and settlement of bets. These rules must cover:

a. the circumstances under which the operator will void a bet;
b. treatment of errors, late bets and related contingencies;
c. availability of odds for any ante-post, early show or starting price betting, and treatment of place, forecast bets etc;
d. treatment of withdrawals, non-runners, and reformed markets;
e. maximum payout limiting liability for a specific betting product or generally;
f. any changes made to customers for the use of betting services or products, and how these are calculated (including deductions from winnings for commission, or in respect of withdrawn horses etc);
g. means or medium by which the outcome of an event will be determined;
h. the rules for the event itself to be specified (eg horserace bets only to be accepted; where the racing is subject to British Horseracing Authority rules);
i. where bets are accepted on ‘pari-mutuel’ terms and
j. any special arrangements for settling bets on ‘coupled’ horses."
the Commission found the link to AG Communications Limited’s betting rules by sport for customers, was not working on the Neptuneplay.com website.

Failure to comply with SRCP 3.5.3 (1) – Self-exclusion – remote SR code

"Licensees must have put into effect procedures for self-exclusion and take all reasonable steps to refuse service or to otherwise prevent an individual who has entered a self-exclusion agreement from participating in gambling."

The Licensee acknowledged that its system for preventing self-excluded customers from gambling was not as robust as it should have been, and it was in breach of SRCP 3.5.3(1).

one customer was able to bypass the Licensee’s account matching mechanism by using different variations of their first name, surname, email address, and postal address. This allowed them to circumvent the self-exclusion system, which should detect duplicate accounts and prevent self-excluded players from creating new accounts across the network. This self-excluded customer was able to register in excess of 100 accounts with the Licensee and went on to deposit circa £30,000 and lost circa £19,000 over a 21-month period.

This regulatory settlement consists of:

a payment of £1,407,834 in lieu of a financial penalty, which includes a divestment of £220,334. The money will be directed to socially responsible purposes
agreement to the publication of a statement of facts in relation to this case
payment towards the Commission’s costs of investigating the case.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the failings were serious and potentially impacted on the licensing objectives
in May 2023, AG Communications Limited was subject of a Compliance Assessment, where failings were identified. A further Compliance Assessment was carried out in December 2023, a number of failings were identified, some of these being the same as those identified in the May 2023 assessment
the Licensee has been subject of a previous operating licence review
the breaches arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons learned for the wider industry.

Mitigating factors

AG Communications Limited:

put in place an action plan designed to remedy the failings and mitigate risk to customers following the December 2023 Assessment
fully co-operated with the investigation and provided regular updates
accepted the failings at an early stage in the investigation
voluntarily agreed a third-party audit to ensure compliance with AML and Safer Gambling and to improve internal training.

Good practice

do you have effective processes in place to test and assess whether your policies, procedures and controls are being effectively implemented by staff? Is this recorded and demonstrable?
do you have set turnaround times for manual reviews, actions, processes, etc? Are these routinely met?
have staff received adequate initial and refresher training? Is this recorded and demonstrable?
do you have an effective method to disseminate feedback, good practice and lessons learned to your staff?
do you fully investigate accounts and mitigate risks when links are identified?
are you fully scrutinising all customer information available to you in a timely manner, properly assessing and taking steps to mitigating potential ML/TF and SR risks?
do you have an adequate system for cross-departmental sharing of information and concerns? For example, would your Fraud/AML agents alert your social responsibility agents if a bank statement showing financial vulnerability was received?
do you act quickly enough when customers display potential markers of harm? Do your procedures specify appropriate timescales for actions and interactions?
if you deviate from your policies and procedures, are you able to justify this and do you fully document those decisions and the rationale?

Notes

¹ With the exception of SRCP 3.5.3 (1) which commenced in October 2022 and concluded in May 2024

² The other breaches commenced on dates between May 2023 and November 2023 and concluded between December 2023 and October 2024

End of public statement

Greentube Alderney Limited Public Statement

Published: 9 January 2025

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

A section 116 (of the Act) regulatory review was commenced following a Compliance Assessment of the remote Operating Licence of Greentube Alderney Limited (licence number 039050 – R – 319315-018).

The review found failings in Greentube Alderney Limited’s Anti-Money Laundering / Counter Terrorism Financing (AML/CTF) and Social Responsibility (SR) controls.

Greentube Alderney Limited failed to comply with the following requirement of the Licence Conditions and Codes of Practice (LCCP) between September 2022 and June 2023:

paragraph 3 of Licence Condition (LC) 12.1.1 which requires licensees to ensure that Money Laundering (ML) policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission.

Greentube Alderney Limited failed to comply with the following requirement of the Licence Conditions and Codes of Practice (LCCP) between December 2022 and June 2023:

paragraphs 1 and 8 of Social Responsibility Code Provision (SRCP) 3.4.3 relating to remote customer interaction.

In line with our Statement of principles for licensing and regulation, Greentube Alderney Limited will make a payment in lieu of a financial penalty of £1,000,000. Details of this are set out under the heading Regulatory Settlement.

A Commission compliance assessment and subsequent regulatory review found:

Breach of Paragraph 3 of Licence Condition 12.1.1

LCCP 12.1.1(3) requires:

We found that, on occasion, Greentube Alderney Limited did not ensure that its policies, procedures and controls were effectively implemented.

Specifically, Greentube Alderney Limited did not always:

scrutinise available information upon receipt, or in a timely manner, leading to an avoidable delay in the identification and potential escalation of money laundering/terrorist financing risk(s). For example, after registering an online account, a customer provided a bank statement as proof of address. The bank statement showed complex and unusual transactions, including over £100,000 being transferred in and out of the account (in multiple transactions), and a negative closing balance. It was only when the ML risk increased, as the customer’s spend reached a designated threshold four months later, that the bank statement was scrutinised, and the matter escalated to the Money Laundering Reporting Officer (MLRO) in accordance with its policy.
fully investigate and escalate accounts showing apparent links to other accounts in a timely manner. Greentube Alderney Limited’s policy does not permit duplicate accounts. Whilst some of its controls were effective Officials saw examples where pertinent information regarding potential links between accounts was received by the Licensee but not fully considered and acted upon, until a financial trigger had been reached. This led to an avoidable delay in investigation, escalation and actions taken to mitigate potential ML/TF risks of accounts being potentially funded or controlled by a different account holder. Officials saw one example where potential links (address and surname) to an individual with previous convictions for the supply of class A drugs were not fully considered and escalated in a timely manner.
follow its policy regarding what it refers to as “risky occupations”. Although its controls considered risks posed by the industry in which the customer is employed, there were certain circumstances which resulted in insufficient consideration being given to the risk posed by persons who had access to third-party funds which could have been misappropriated and used to fund the person’s gambling. For example, in one case the potential increased risk posed by a ‘finance manager’ was not recognised or built into the customer’s risk profile, and no steps were taken to mitigate the increased risk.
follow its recycled winnings policy. Greentube Alderney’s policy specified a time period for accepting ‘recycled winnings’ (winnings which have been withdrawn and redeposited) after which the customer’s source of funds would be requested. This is to mitigate the potential ML/TF risks associated with money subsequently deposited being from a different source to that previously won and withdrawn. However, the operator did not always follow that policy. In one example, following a large win and withdrawal, a customer was allowed to continue depositing funds from different payment methods long after the specified time period without the operator requesting source of funds information. In total over £70,000 was deposited without the customer being asked to evidence their source of funds.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of money laundering or criminal spend with the Licensee.

Failure to comply with paragraphs 1 and 8 of SRCP 3.4.3

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act.

SRCP 3.4.3 paragraph 1 requires:

We found that on occasion Greentube Alderney Limited had not ensured that its policies, procedures and controls had been effectively implemented.

Specifically, Greentube Alderney Limited:

failed to fully and effectively implement its policy regarding big/high winners.
The operator had a policy aimed at ensuring customer limits are based on regular, sustainable income - as opposed to one-off or irregular forms of income. The Commission saw one customer example where, following a withdrawal of significant winnings, a customer was permitted to deposit significant sums for a period greatly in excess to that specified in its policy. The deposits were made without any evidence being provided by the customer confirming the source of the further deposits were the original withdrawn winnings.
did not always fully and effectively implement its processes regarding the legitimacy of documents. Despite its agents receiving training on fraudulent documents, it was found that agents did not always apply their training.
did not fully and effectively implement its controls to identify indicators of vulnerability/potential harm in a timely manner.
Officials saw examples where documentation provided by customers – which indicated potential financial vulnerability – was either not reviewed at all or was not reviewed or escalated until a financial trigger was hit or a concerning comment made. As a result, customers were allowed to deposit at higher limits despite Greentube Alderney Limited being in possession of documentation showing issues such as low account balances, overdrafts, transactions to other gambling operators, deposits disproportionate to salary, and social/housing benefits. For example, one customer supplied a bank statement (as proof of address) that had a negative opening and closing balance and included numerous transactions to another gambling operator. There was no evidence that the bank statement had been considered, and the potential vulnerabilities identified from a social responsibility perspective, four months later when the account was blocked for AML reasons. Over £4,000 had been deposited during this period.

SRCP 3.4.3 paragraph 8 requires:

"Licensees must take appropriate action in a timely manner when they have identified the risk of harm."

We found that, on occasion, Greentube Alderney Limited did not always take appropriate action in a timely manner when the risk of harm was identified.

In some accounts reviewed, although risk indicators/markers of harm were present in a customer’s journey and a phone interaction was deemed appropriate, the calls were not performed promptly, rather they were postponed whilst further monitoring took place and/or until a further/higher trigger had been hit or other behaviour prompted it.

This regulatory settlement consists of:

a payment of £1,000,000 in lieu of a financial penalty, this includes a divestment of £22,113. The money will be directed to socially responsible purposes
agreement to the publication of a statement of facts in relation to this case
payment towards the Commission’s costs of investigating the case.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the failings were serious and potentially impacted on the licensing objectives
in 2021 the Commission accepted a regulatory settlement from Greentube Alderney Limited for historical failings in relation to AML/CTF and SR controls
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons learned for the wider industry.

Mitigating factors

Greentube Alderney Limited:

swiftly put in place an action plan designed to remedy the failings and provided updates
fully co-operated with the investigation and provided information by agreed deadlines
accepted the failings at an appropriately early stage in the investigation.

Good practice

do you have effective processes in place to test and assess whether your policies, procedures and controls are being effectively implemented by staff? Is this recorded and demonstrable?
do you have set turnaround times for manual reviews, actions, processes, etc? Are these routinely met?
have staff received adequate initial and refresher training? Is this recorded and demonstrable?
do you have an effective method to disseminate feedback, good practice and lessons learned to your staff?
do you fully consider the risks associated with customers who may have access to third-party funds which could be misappropriated?
do you fully investigate accounts and mitigate risks when links are identified?
are you fully scrutinising all customer information available to you in a timely manner, properly assessing and taking steps to mitigating potential ML/TF and SR risks?
do you have a good system for cross-departmental sharing of information and concerns? For example, would your Fraud/AML agents alert your social responsibility agents if a bank statement showing financial vulnerability was received?
do you act quickly enough when customers display potential markers of harm? Do your procedures specify appropriate timescales for actions and interactions?
if you deviate from your policies and procedures, are you able to justify this and do you fully document those decisions and the rationale?

End of public statement

Hillside (UK Sports) ENC Public Statement

Published: 4 April 2024

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

The Gambling Commission commenced a section 116 regulatory review of Hillside (UK Sports) ENC (the Licensee) - General Betting Standard - Real Event, General Betting Standard - Virtual Event, and Pool Betting – Remote, Licence Number 055148-R-331498-001 - following a compliance assessment conducted in March 2022.

The regulatory review found failings in the Licensee’s processes aimed at preventing Money Laundering (ML) and protecting individuals from being harmed or exploited by gambling.

The Licensee failed to comply with the following Licence Conditions and Codes of Practice (LCCP):

paragraph 2 of licence condition 12.1.1, requiring operators to comply with the prevention of ML and Terrorist Financing (TF), between May 2021 and July 2022
paragraphs 1b and 1c of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, between October 2021 and September 2022.

Taking into account remedial action taken by the Licensee and in line with our Statement of principles for licensing and regulation, the Licensee will pay a total of £239,085 in lieu of a financial penalty.

The investigation and our subsequent regulatory review found the Licensee had:

Breached paragraph 2 of licence condition 12.1.1 between May 2021 and July 2022

Licence condition 12.1.1(2) states: “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

The Licensee accepted that, at the time of the assessment:

the know your customer triggers in place were ineffective at managing ML risk
it failed to undertake financial sanctions checks (opens in a new tab) on new customers prior to their first deposits
it failed to undertake independent verification checks and over relied on customers’ annual self-verification of know your customer information, such as identification documents
its procedure document contained inadequate detail as to who would be deemed “at risk” and “not at risk” for customer risk profiling.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of criminal spend with the Licensee or the acceptance of funds from persons subject to financial sanctions.

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (in force from 31 October 2019 until 11 September 2022) states:

“1. Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

b. interacting with customers who may be at risk of or experiencing harms associated with gambling.
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach”.

The Licensee accepted that at the time of the Assessment:

interactions were frequently not tailored to the specific customer journey or spectrum of harm and therefore interactions were not meaningful
its Early Risk Detection System was not demonstrably effective in understanding the impact of individual interactions on a customer’s behaviour and whether further action was required
its approach to evaluation meant that it was unable to effectively ascertain whether a customer had read and understood the information or advice provided within its interactions.

This regulatory settlement consists of:

a payment of £239,085 in lieu of a financial penalty, which will be directed towards socially responsible purposes
agreement to the publication of a statement of facts in relation to this case
payment of £15,684.50 towards the Commission’s costs of investigating the case.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

there has been a repeated breach or failure by the operator
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the breach continued after the licensee became aware of it
the scale of the breach of a licence condition across the licensed entity
the impact on customers and the public
the absence of internal controls or procedures intended to prevent the breach
the duration of the breach.

Mitigating factors

the extent of steps taken to remedy the breach
timely co-operation with any investigation undertaken by the Commission.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your anti-money laundering and safer gambling policies and are findings adequately recorded?
do you efficiently record all compliance-related decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policies and procedures?
do you undertake financial sanctions checks on new customers prior to their first deposits?
are your customer risk profiles informed by or linked to your ML and TF risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact especially in terms of the level of detail provided?
have your staff received sufficient anti-money laundering and social responsibility training?

End of public statement

Hillside (UK Gaming) ENC Public Statement

Published: 4 April 2024

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

The Gambling Commission commenced a section 116 regulatory review of Hillside (UK Gaming) ENC (the Licensee) - Remote Bingo and Casino Operating Licence Number 055149- R-331499-002 - following a compliance assessment conducted in March 2022.

The regulatory review found failings in the Licensee’s processes aimed at preventing Money Laundering (ML) and protecting individuals from being harmed or exploited by gambling.

The Licensee failed to comply with the following Licence Conditions and Codes of Practice (LCCP):

paragraph 2 of licence condition 12.1.1, requiring operators to comply with the prevention of ML and Terrorist Financing (TF), between May 2021 and July 2022
licence condition 12.1.2, requiring operators based in foreign jurisdictions to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information of the Payer) Regulations 2017 (the 2017 Regulations), between May 2021 and July 2022
paragraphs 1b and 1c of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, between October 2021 and September 2022.

Taking into account remedial action taken by the Licensee and in line with our Statement of principles for licensing and regulation, the Licensee will pay a total of £343,035 in lieu of a financial penalty.

The investigation and our subsequent regulatory review found the Licensee had:

Breached paragraph 2 of licence condition 12.1.1 (Prevention of money laundering and terrorist financing) between May 2021 and July 2022

The Licensee accepted that, at the time of the assessment:

the enhanced customer due diligence triggers in place were ineffective at managing ML risk
it failed to undertake financial sanctions checks on new customers prior to their first deposits
it failed to undertake independent verification checks and over relied on customers’ annual self-verification of customer due diligence information, such as identification documents
its procedure document contained inadequate detail as to who would be deemed “at risk” and “not at risk” for customer risk profiling.

Breached licence condition 12.1.2 (Anti-Money Laundering - Measures for operators based in foreign jurisdictions) between May 2021 and July 2022

Licence condition 12.1.2 has been in place since October 2016 and requires that: “Licensees must comply with Parts 2 and 3 of the Money Laundering Regulations 2007 (UK Statutory Instrument No. 2157 of 2007) as amended by the Money Laundering (Amendment) Regulations 2007 (UK Statutory Instrument No. 3299 of 2007), or the equivalent requirements of any UK Statutory Instrument by which those regulations are amended or superseded insofar as they relate to casinos (the MLR) whether or not the MLR otherwise apply to their business”.

Hillside (UK Gaming) ENC accepted it breached this licence condition as the AML failings, set out above, constitute a breach of the 2017 Regulations, namely:

Regulation 28(11)(a) requires ongoing monitoring of a business relationship which includes, where necessary, checking source of funds to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile
Regulation 33 imposes an obligation to apply enhanced customer due diligence measures and enhanced ongoing monitoring in any case identified as one where there is a high risk of ML or TF.

Failed to comply with paragraphs 1b and 1c of SRCP 3.4.1 (Customer Interaction) between October 2021 to September 2022

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (in force from 31 October 2019 until 11 September 2022) states:

“1. Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

b. interacting with customers who may be at risk of or experiencing harms associated with gambling.
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach”.

The Licensee accepted that at the time of the assessment:

interactions were frequently not tailored to the specific customer journey or spectrum of harm and therefore interactions were not meaningful
its Early Risk Detection System was not demonstrably effective in understanding the impact of individual interactions on a customer’s behaviour and whether further action was required
its approach to evaluation meant that it was unable to effectively ascertain whether a customer had read and understood the information or advice provided within its interactions.

This regulatory settlement consists of:

a payment of £343,035 in lieu of a financial penalty, which will be directed towards socially responsible causes
agreement to the publication of a statement of facts in relation to this case
payment of £15,684.50 towards the Commission’s costs of investigating the case.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

there has been a repeated breach or failure by the operator
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the breach continued after the licensee became aware of it
the scale of the breach of a licence condition across the licensed entity
the impact on customers and the public
the absence of internal controls or procedures intended to prevent the breach.
the duration of the breach.

Mitigating factors

the extent of steps taken to remedy the breach
timely co-operation with any investigation undertaken by the Commission.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your anti-money laundering and safer gambling policies and are findings adequately recorded?
do you efficiently record all compliance-related decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policies and procedures?
do you undertake financial sanctions checks on new customers prior to their first deposits?
are your customer risk profiles informed by or linked to your ML and TF risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact especially in terms of the level of detail provided?
have your staff received sufficient anti-money laundering and social responsibility training?

End of public statement

Lindar Media Limited Public Statement

Published: 20 September 2023

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

The Gambling Commission commenced a section 116 regulatory review of Lindar Media Limited (the Licensee), Combined Remote Operating Licence Number 051250-R-328289-006, following a compliance assessment conducted in September 2022.

The regulatory review found failings in Lindar Media Limited’s processes aimed at preventing Money Laundering (ML) and protecting individuals from being harmed or exploited by gambling.

Officials found that, between July 2021 and September 2022, Lindar Media Limited failed to comply with the following Licence Conditions and Codes of Practice (LCCP):

paragraphs 1, 2 and 3 of licence condition 12.1.1 requiring compliance with measures to prevent ML and Terrorist Financing (TF)
ordinary code provision 2.1.1 requiring non-remote and remote casino licence holders to act in accordance with the Commission’s guidance on Anti-Money Laundering (AML): The Prevention of Money Laundering and Combating the Financing of Terrorism – Guidance for remote and non-remote casinos
licence condition 15.2.1(4) – requiring licensees to notify the Commission of specific key events, such as the appointment of a person to, or a person ceasing to, occupy a key position
licence condition 1.2.1(3) – requiring compliance relating to specified management offices
paragraphs 1a, 1b and 2 of Social Responsibility Code Provision (SRCP) 3.4.1 - requiring licensees to identify and interact with customers who may be at risk of or experiencing gambling related harms in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction
SRCP 5.1.6 – requiring licensees are compliant with advertising codes
SRCP 3.1.1(2) – requiring licensees to make an annual contribution in relation to combating problem gambling.

Taking into account the remedial action taken by Lindar Media Limited prior to and immediately following the compliance assessment, and in line with our Statement of principles for licensing and regulation, Lindar Media Limited will pay a total of £690,947.

A Commission compliance assessment and subsequent regulatory review found:

failings in Lindar Media Limited’s implementation of its AML policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices
weaknesses in its reporting arrangements in respect of key events
the person responsible for the Licensee’s gambling regulatory compliance function (Head of Regulatory Compliance) occupied other management posts without the Commission’s approval
failure to advertise its marketing products in a socially responsible manner
failure to make an annual financial contribution to an organisation which support research, prevention and treatment for those harmed by gambling.

The investigation and our subsequent regulatory review found Lindar Media Limited had been in breach of the following:

Breach of paragraph 1 of licence condition 12.1.1

Licence condition 12.1.1(1) states: “Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.”

The Licensee failed to have an appropriate ML and TF risk assessment, as it did not to reference that it had adequately assessed risk relating to:

customers
means of payment
additional inherent risks
emerging risks operator control.

In addition, the ML and TF risk assessment did not specifically address certain key risk factors as set out in the Money Laundering Regulations 2017 (the Regulations) and the Commission’s Prevention of money laundering and combating the financing of terrorism (PDF) (opens in a new tab) (February 2021) (the AML Guidance) including:

customers that are associated with higher risk countries, as a result of their citizenship, country of business or country of residence may present a higher ML and TF risk, taking into account all other relevant factors (Paragraph 2.20 of the AML Guidance)
disproportionate spend – casino operators should obtain information about customers’ financial resources so that they can determine whether customers spending is proportionate to their income or wealth (Paragraph 2.22 of the AML Guidance)
when a business relationship is conducted in unusual circumstances (Paragraph 6.33 of the AML Guidance)
where a customer is the beneficiary of a life insurance policy (Paragraph 6.33 of the AML Guidance)
when a customer is a third country national who is applying for residence rights in or citizenship of a state in exchange for transfers of capital, purchase of a property, government bonds or investment in corporate entities in that state (Paragraph 6.33 of the AML Guidance).

Breach of paragraph 2 of licence condition 12.1.1

The following procedures and controls were not appropriate:

at the point of registration all customers were automatically assigned an ML risk rating of low. There was insufficient information known about the customer at the start of the business relationship to adequately profile the customer and assess the risk of ML or TF. There was at the time an over reliance on financial triggers to identify and manage ML risks. The Commission accepts the Licensee had other triggers which were not financial
some financial thresholds in place to identify the risks associated with ML and TF were set at a level which allowed a customer to deposit and lose £10,000 a figure which did not appear to be sufficiently risk-based. Other triggers in place did not prevent some customers from depositing and losing £10,000 in a short period of time. Officials acknowledge the Licensee has taken proactive steps to address this and the issue has now been rectified.

Breach of paragraph 3 of licence condition 12.1.1

Licence condition 12.1.1(3) states “Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”

The policies and procedures had been reviewed, but not in a timely manner or as frequently as necessary to take into account the Guidelines published by the Commission. They had not been signed off by the Money Laundering Reporting Officer (MLRO). Officials acknowledge the Licensee has taken steps to address this.

Failure to take into account Ordinary Code Provision 2.1.1

Paragraph 1 of Ordinary Code Provision (OCP) 2.1.1 states: "In order to help prevent activities related to money laundering and terrorist financing, licensees should act in accordance with the Commission guidance on anti-money laundering. The Prevention Money Laundering and Combating the Financing of Terrorism Guidance for remote and non- remote casinos".

The Licensee failed to take into account OCP 2.1.1 in that, contrary to the AML Guidance, the Licensee:

had not followed the requirements as set out at Section 2 of the Guidance requiring the assessment of threats, vulnerabilities and consequences
did not sufficiently address how customer risk should be managed to reflect the Guidance in its AML policy
the Licensee’s AML policy had measures in place in relation to Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD), however they were not always implemented effectively.

Breach of licence condition 15.2.1 (4) - Reporting key events

Licensees must notify the Commission, in such form or manner as the Commission may from time to time specify, of the occurrence of a key event, as soon as reasonably practicable and in any event within five working days of the Licensee becoming aware of the events occurrence.

The Licensee failed to notify the Commission when the Head of Regulatory Compliance (who held the post from 1 August 2019 to 14 June 2022) ceased to hold this position.

The Commission found the Licensee was in breach of licence condition 15.2.1 between 20 June 2022 and September 2022.

Breach of licence condition 1.2.1(3) - Specified management offices – personal management licences

"The person responsible for the licensee’s gambling regulatory compliance function as head of that function shall not, except with the Commission’s express approval, occupy any other specified management office."

At the time of the Assessment the person holding the position of Head of Regulatory Compliance also held a number of other specified management posts without the Commission’s express approval.

The Commission found the Licensee was in breach of licence condition 1.2.1(3) between 20 June 2022 and 3 October 2022.

Failure to comply with paragraph 1b, 1c and 2 of SRCP 3.4.1 (Customer Interaction)

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (in force from 31 October 2019 until 11 September 2022) states:

“1. Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling.
b. interacting with customers who may be at risk of or experiencing harms associated with gambling.
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

Licensees must take into account the Commission’s guidance on customer interaction.”

Failings were identified in respect of the customer interaction processes, relating to identifying customers who may be at risk of or experiencing harms associated with gambling in that:

the series of financial and non-financial safer gambling triggers used to proactively identify when customers may be experiencing harms were not always effective, in particular new customers being able to deposit at high velocity
the Licensee did not have a process in place to identify, in real time, customers at risk of gambling related harm, or implement early and quick interactions.

Officials did not see evidence as to how the Licensee had fully taken account of the Commission’s formal customer interaction guidance, Customer interaction - Formal Guidance for remote gambling operators (PDF) (opens in a new tab) (July 2019)¹ (CI Guidance) in the following areas:

Identify

the processes in place did not always identify those potentially experiencing or at risk of gambling related harm or cause a customer interaction to take place at the earliest opportunity. The Commission expects licensees to monitor customer activity and be in a position to interact early and quickly. The review of customer accounts identified that some customers were able to deposit and lose up to and in excess of £10,000 with no controls in place to intervene until the money had been lost (Section 2.9 of CI Guidance)
disproportionate customer spend in relation to a customer’s personal circumstances was not considered for some customers until they had deposited and lost significant amounts of money
where financial circumstances were considered, the model relied on County Court Judgements and bankruptcy data to identify affordability concerns, which may not always be effective in identifying customers (Sections 2.10 & 2.11 of CI Guidance).

Interact

the interaction process in place did not consider the urgency for customer contact, particularly where nothing was little known about the customer’s circumstances (Section 3.4 of CI Guidance).

Failure to comply with SRCP 5.1.6 - the advertising codes

On 29 June 2022 an advertisement posted on behalf of the Licensee by one of its agents relating to its MrQ website appeared on Reddit. This advertisement featured an image showing three carton Spiderman figures.

Further, a review of MrQ.com on 3 August 2022 identified cartoon imagery, not in a restricted gateway. The imagery related to King Kong cash pots, Piggy Bank Bills and The Doghouse Megaways.

On both occasions the images shown were likely to be of particular appeal to children. The Commission acknowledges that, once it became aware of the adverts, the Licensee took immediate action to remove them.

The Commission found the Licensee had failed to comply with SRCP 5.1.6 on 29 June 2022 and 3 September 2022.

Failure to comply with SRCP 3.1.1(2) – Combating problem gambling

Licensees are required to make an annual financial contribution to an organisation, approved by the Commission to support research, prevention and treatment for those harmed by gambling. The Licensee had failed to make such a payment for the year ending December 2021.

The Commission found the Licensee had failed to comply with SRCP 3.1.1(2) for the year ending December 2021.

This regulatory settlement consists of:

a payment of £690,947 in lieu of a financial penalty, this includes a divestment of £50,947. The money will be directed for socially responsible purposes
agreement to the publication of a statement of facts in relation to this case
payment towards the Commission’s costs of investigating the case.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the nature of the breaches may mean other customers were affected that the Commission has not reviewed.

Mitigating factors

The Licensee has:

taken immediate steps to rectify the breaches identified and, in some cases, had implemented changes prior to the compliance assessment
made early disclosure of all relevant facts
accepted the failings at the earliest opportunity
made an early regulatory settlement proposal
been fully co-operative throughout its dealings with the Commission.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and are findings adequately recorded?
do you have sufficient processes in place to ensure that all key events are notified to the Commission in a timely manner
is your marketing of gambling products and services undertaken in a socially responsible manner. Do they comply with the advertising codes of practice issued by the Committee of Advertising Practice (CAP) and the Broadcast Committee of Advertising Practice (BCAP)? Have you familiarised yourself with the latest Advice from CAP on 'Gambling, betting and gaming: Appeal to children' (May 2023) (opens in new tab)
do you efficiently record all compliance-related decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
are your customer risk profiles informed by or linked to your money laundering and terrorist financing risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact especially in terms of the level of detail provided?
do you have out of hours arrangements in place?
have your staff received sufficient AML and social responsibility training?

Notes

¹This guidance is no longer in force, as of 11 September 2022.

End of public statement

Done Bros (Cash Betting) Limited Public Statement

Published: 18 July 2023

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure gambling facilities are provided in compliance with the Gambling Act 2005 (opens in new tab)(the Act), the conditions of their licence and in accordance with the licensing objectives, which are to:

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation followed a compliance assessment and resulted in the commencement of a section 116 regulatory review of Done Bros (Cash Betting) Limited’s (the Licensee/Done Bros) Non-Remote General Betting Standard, Pool Betting and Ancillary Remote Licence number: 001058-N-102469-014. The regulatory review found failings in the Licensee’s processes which were aimed at Safer Gambling (SG) and preventing Money Laundering (ML).

Between January 2021 and December 2022¹, Done Bros failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

paragraphs 1, 2 and 3 of licence condition 12.1.1, requiring the conducting of an appropriate risk assessment, the implementation of appropriate policies and procedures and keeping such policies under review to ensure their effectiveness, all with the objective of preventing ML and Terrorist Financing (TF)
paragraphs 1 and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction.

The investigation and our subsequent regulatory review found:

failings in the Licensee’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its SG policies, procedures, controls and practices, including weaknesses in implementation.

We found that the Licensee had:

Breached licence condition 12.1 Prevention of money laundering and terrorist financing

Breach of paragraph 1 of licence condition 12.1.1

The Licensee accepted it breached this licence condition as its ML/TF risk assessment did not sufficiently reflect the Commission’s expectations or fully take into account the Commission’s ML/TF risk assessment of the British gambling industry.

The failings were that the Licensee’s ML/TF risk assessment did not:

sufficiently take into account the Commission’s most recent POCA Guidance
demonstrate that all risks to its business had been considered, for example those connected to third party suppliers, payment providers and processors, and customers using pre-paid cards
detail the risks and countermeasures in place to monitor customer transactions across multiple Licensed Betting Offices, products and platforms in order to mitigate any ML potential.

Breach of paragraph 2 and 3 of licence condition 12.1.1

Licence condition 12.1.1 (2) states: “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

Although an analysis of the specific customer records identified during the regulatory review found no evidence of criminal spend with the Licensee, the Licensee nevertheless accepted that it had breached this licence condition, as:

there were weaknesses and shortcomings in relation to the adequacy and maintenance of its policies and procedures, and their implementation
there was poor record keeping and its financial alerts (thresholds) were set too high. For example, Customer A lost circa £61,000 within a four-month period and no action was taken as the Licensee had previously concluded there were ‘no AML concerns’. The Licensee had relied on an ID document alone and no action was taken in respect of this customer when further reviews were completed
it had an inability to track customer play across products
it failed to consistently obtain appropriate Know Your Customer (KYC) identification and Source of Funds (SoF) documentation from its customers when its thresholds were met. For example, Customer B hit the AML trigger of £250,000 staked in 365 days. The customer’s ID was only requested after a 10-day delay, which the Licensee was unable to explain
it placed an undue reliance on open-source information and should have taken further steps to corroborate customers’ SoF information
certain customers were able to stake large amounts of money without the Licensee conducting appropriate KYC checks. For example:
- Customer A reached a net loss position of £61,000 within a four-month period with no appropriate KYC being conducted
- Customer C staked and lost £72,000 within a 9-month period due to the Licensee relying on uncorroborated open-source information
- Customer D staked £429,222 and lost £120,353 within a 11-month period due to the Licensee relying on uncorroborated open-source information.

Failed to comply with Paragraph 1 and 2 of SRCP 3.4.1 (Customer Interaction)

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1. Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling.
b. interacting with customers who may be at risk of or experiencing harms associated with gambling.
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

Licensees must take into account the Commission’s guidance on customer interaction.”

The Licensee accepted it was not fully in compliance with SRCP 3.4.1 as:

it had insufficient controls in place to protect new customers, and to monitor high velocity spend and duration of play exposing the customer to the risk of substantial losses without SG interaction
it made assumptions that customers were not at risk because they were winning customers. For example, the Licensee failed to carry out interactions on a customer (Customer E) who staked £517,499 between 21 March 2022 and 18 May 2022. The basis was the Licensee was of the view that this customer was a professional poker player, displayed no signs to encourage staff interaction, and was in a winning position of £8,585 in the period. It was established that the customer was able to stake close to the entirety of his net worth (based upon open-source checks carried out by the Licensee) within a two month period and should have been subject of SG considerations
it did not always conduct SG interactions with customers who may be at risk of experiencing harm early enough in their journey
the interactions that it carried out were not always effective. For example, Customer F played for a period of five months and deposited £337,029 with a loss of £19,336.28 and placed a total of 1,375 bets. The customer was interacted with 12 times and the Licensee noted that each interaction was positive and indicated the customer was happy at his level of spend. However, during some interactions the customer demonstrated signs of potential harms such as his card being declined and placing large bets. The interactions did not escalate in any way and there is no evidence to suggest this customer was offered any information or support. The only factor that appears to have been considered was whether the customer appeared happy to continue to gamble
there was a lack of evidence of evaluation of the effectiveness of individual customer interactions and a lack of record keeping which limited the effectiveness of future interactions.

This regulatory settlement consists of:

a total payment of £3,250,000 in lieu of a financial penalty, which will be directed towards socially responsible purposes, which includes a divestment of £1,052,717
agreement to the publication of a statement of facts in relation to this case
payment of the Commission’s costs involved in conducting the review.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
the Licensee’s senior management should have been aware of governance issues that lead to the breaches, given their significance.

Mitigating factors

the extent of steps taken to remedy the breach - the Licensee implemented an early action plan to remedy its failings
the Licensee procedurally met the Commission’s timetable in respect of providing material and responses
early and voluntary acceptance of the Commission’s findings and the early request to enter into the Regulatory Settlement process.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to review your ML/TF risk assessment at least annually and measure the effectiveness of your AML and SG policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
are lessons learned from public statements and other regulatory decisions appropriately incorporated in your policies and processes?
are your customer risk profiles reviewed in the light of new information?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews are adequately documented and consistent in their approach?
do you log the types of behaviour which trigger a customer interaction and keep sufficient records of interactions, along with any decisions not to interact, especially in relation to the level of detail provided?
have your staff received sufficient AML and social responsibility training?

Notes

¹ This date represents the total period of non-compliance, there are some variations in the individual breach period for each condition.

End of public statement

Videoslots Limited Public Statement

Published: 15 June 2023

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure gambling facilities are provided in compliance with the Gambling Act 2005 (opens in new tab)(the Act), the conditions of their licence, and in accordance with the licensing objectives, which are to:

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair and open way
protect children & other vulnerable people from being harmed or exploited by gambling.

This investigation followed two compliance assessments which resulted in the commencement of a section 116 regulatory review¹ of Videoslots’ Limited, Combined Remote Operating Licence number: 039380-R-319311-032.

The regulatory review found failings in the implementation of Videoslots’ processes which were aimed at preventing Money Laundering (ML) and ensuring safer gambling.

Between October 2019 and February 2022², Videoslots failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

paragraph 3 of licence condition 12.1.1, requiring licensees to ensure that ML policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission
paragraphs 1a, 1b and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to identify and interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction.

In line with our Statement of principles for licensing and regulation, Videoslots will make payments in lieu of a financial penalty of £2,000,000. A breakdown of the regulatory settlement is set out in the following pages.

The investigation, and our subsequent regulatory review, found:

failings in Videoslots’ implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling controls and practices, and weaknesses in the implementation of the existing policies procedures and controls.

We found that Videoslots had been in:

Breach of licence condition 12.1.1(3)

Licence condition 12.1.1(3) states that “Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”

Videoslots accepted it breached this licence condition between March 2021 and April 2022 for the following reasons:

it had not implemented its own risk-based processes appropriately due to significant delays in conducting the required action (such as an AML review or request for source of funds) following an AML trigger. For example, Customer A hit several AML triggers and was able to deposit £112,225 and, AML analysts did not properly implement all actions required by the Licensee's AML policies and procedures. Similar failings were demonstrated with other customers
it had not fulfilled elements of customer due diligence as early as intended in accordance with its risk-based approach
it did not have sufficient AML analysts to process the volumes of data or undertake the AML account reviews that were required to be performed in accordance with its AML policies and procedures
there were examples where analysts did not properly implement the Licensee's policies and procedures in respect of AML, which allowed a number of high-risk customers to continue to gamble significant amounts.

Failure to comply with SRCP 3.4.1 Customer interaction

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act.

During the period covered by the compliance assessments SRCP 3.4.1 (ceased in September 2022) states:

“1. Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”

Videoslots accepted it was not fully in compliance with SRCP 3.4.1 during the following periods:

SRCP 3.4.1 paragraph 1a between March 2021 and October 2022
SRCP 3.4.1 paragraph 1b between March 2021 and March 2022
SRCP 3.4.1 paragraph 2 between October 2019 and February 2022.

Videoslots accepted it breached this SRCP for the following reasons:

in some instances, it did not ensure that customers displaying risk behaviours were identified as potentially experiencing harm because responsible gambling reviews were not undertaken as early, or as well as they should have been
it did not use restrictive measures such as forced deposit limits and playblocks as regularly as it could have
it failed to identify whether a customer was at risk of experiencing harm by not considering whether the amount being deposited or lost was appropriate. For example, Customer C had a self-declared income of between £60,000 and £80,000 and savings of between £20,000 and £50,000. This customer was able to deposit and lose £98,000 within 6 months which was more than all of their savings and estimated earnings combined. The reviews and interactions with this customer did not take into account the fact that this customer deposited disproportionately to their declared salary
it allowed customers showing indicators of harm, and those of medium and high risk, to continue to gamble significant amounts after interactions, despite their behaviour continuing. For example, Customer A deposited £112,225 and lost £58,725 between 21 November 2021 and 7 January 2022. During that period this customer hit a number of triggers such as gambling for long periods, gambling in the early hours and losses exceeding thresholds based on declared source of wealth. As a result of the triggers the Licensee completed three account reviews (one being as a result of the customer being a top winner) and sent an automated email. However, for this customer an account review was missed on 8 December 2021 and delayed on 29 December 2021. The operator’s approach to interactions set out in their responsible gambling policy and procedures was not implemented as it should have been. The customer not amending their behaviour demonstrates that the interactions, as a result, were not effective in minimising the risk of harm
it did not carry out effective interactions where it had information (such as numerous markers of harm triggered) which may have demonstrated that an enhanced approach or intervention was required
its process for escalating interactions or intervening were ineffective due to an over reliance on customer responses and source of wealth declarations
in some of the customer accounts reviewed, there were instances where, contrary to the Licensee's policy, affordability was not fully considered by responsible gambling analysts in allowing customers to continue to gamble.

A regulatory settlement penalty package of £2,000,000 has been agreed, which consists of the following elements:

a payment in lieu of a financial penalty of £1,505,158.02 which will be directed towards socially responsible causes
divestment of £494,841.98
agreement to the publication of a statement of facts by the Commission
payment of £11,308.00 towards our investigative costs.

Conclusion

Our investigation found, and Videoslots accepts, that there were significant weaknesses in its ability to implement its policies and procedures for AML and safer gambling purposes.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors:

the nature of the breaches may mean other customers were affected that the Commission has not reviewed
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
some of the breaches continued for a period of 1 year and 9 months
this is the second S116 review the Licensee has been subjected to. The first resulting in a settlement of £1 million.

Mitigating factors:

the Licensee has taken steps to rectify the breaches highlighted
the Licensee’s has accepted the key failings
the Licensee has acted in a timely manner and been co-operative with the investigation
the Licensee was transparent during the review period and outlined that operational effectiveness was severely impacted during the relevant period by the Covid pandemic.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should also consider the following questions:

do lessons learned from public statements flow into your policy and processes?
are you providing your staff with appropriate training to ensure that they are aware of the law relating to money laundering and terrorist financing, and how to recognise and deal with transactions, activities or situations which may be related to ML or terrorist financing? 
do you have sufficient resilience within your AML and social responsibility functions?

Notes

¹ The Commission commenced its regulatory review on 9 February 2022

² This demonstrates the overall breach period. The period the Licensee was in breach for each condition varies and has been detailed further under the relevant sections below.

End of public statement

Skill On Net Limited Public Statement

Published: 23 May 2023

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation followed the commencement of a section 116 regulatory review of Skill on Net Limited (the Licensee), Combined Remote Operating Licence number: 039326-R-319358-050. The regulatory review found failings in the Licensee’s processes which were aimed at safer gambling and preventing Money Laundering (ML).

Between the period of January 2021 and December 2022¹, the Licensee failed to comply with the following Licence Conditions and Codes of Practice (LCCP):

paragraphs 1, 2 and 3 of licence condition 12.1.1 requiring compliance with the prevention of ML and Terrorist Financing (TF)
licence condition 12.1.2 requiring operators based in foreign jurisdictions to comply with the ML, TF and Transfer of Funds (Information of the Payer) Regulations 2017
paragraphs 1a, b and 2 of Social Responsibility Code Provision (SRCP) 3.4.1 requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction
failed to adhere to Ordinary Code Provision (OCP) 2.1.1 - Anti-Money Laundering guidance.

Taking into account remedial action taken by the Licensee and in line with our Statement of principles for licensing and regulation, the Licensee will voluntarily make a payment in lieu of a financial penalty of £305,150, which includes a £105,650 divestment, and agreement to conduct an independent third-party audit as regards the effective implementation of the Licensee’s AML and safer gambling policies, procedures and controls within 12 months of the conclusion of the Licence Review.

The investigation and our subsequent regulatory review found:

insufficient policies, procedures and controls to comply with its Anti-Money Laundering (AML) responsibilities
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation.

We found that, between the period of January 2021 and December 2022, Skill on Net had been in:

Breach of paragraph 1 of licence condition 12.1.1

The Licensee accepted it breached this licence condition between May 2021 until December 2022, as its ML/TF risk assessment did not sufficiently reflect the Commission’s expectations or fully take into account the Commission’s ML/TF risk assessment of the British gambling industry.

The Commission found the relevant risk assessment failed to:

appropriately consider payments received from unknown or unassociated third parties of the customer
appropriately consider organised crime groups and mule accounts
take into account and adequately consider information on the risks of ML and TF made available to them by the Commission.

Breach of paragraph 2 of licence condition 12.1.1

Licence condition 12.1.1(2) states, “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”.

The Licensee accepted that issues identified by the Commission indicated deficiencies in their policies and procedures and accepted they were in breach of licence condition 12.1.1(2) between May 2021 and March 2022.

The Commission’s concerns included:

failure to have appropriate procedures in place to consider customer’s salary or wealth in order to identify disproportionate spend, and reliance upon customers’ declarations to mitigate the ML risks posed
failure to effectively risk profile customers from an AML perspective and consider the risks outlined within the Licensees’ Risk Assessment
the Licensee relied on unevidenced verbal comments and monetary thresholds when considering disproportionate spend
a failure to require that the nominated officer provides an annual report covering the operation and effectiveness of the operator’s systems and controls to combat ML and TF, and take any action necessary to remedy deficiencies identified by the report in a timely manner.

Breach of paragraph 3 of licence condition 12.1.1

Licence condition 12.1.1(3) states, “Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”.

The Licensee acknowledged their policies and procedures were not fully compliant with licence condition 12.1.1(3) between May 2021 and December 2022.

The Commission’s concerns included:

failure to take into account the Prevention of money laundering and combating the financing of terrorism guidance applicable at the time of the assessments
several customers were able to deposit and lose more than double the £2,000 limit the Licensee had in place to mitigate the risks of unverified payment methods
there was an over-reliance on re-staked gambling winnings with the belief that funds won and withdrawn by the customer were evidence of available funds up to 30 days later
the Licensee made assumptions that customers were recycling winnings without obtaining any evidence from the customer to support that assertion.

Breach of paragraph 1 of licence condition 12.1.2 (Anti-money laundering - measures for operators based in foreign jurisdictions)

Paragraph 1 of this condition has been in place since October 2016 and requires the Licensee comply with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the 2017 Regulations).

The Licensee accepted its policies and processes were not fully compliant and that there was a breach of licence condition 12.1.2 between May 2021 and December 2022.

Commission officials consider the Licensee failed to adequately implement the measures described in the relevant regulations laid out in the 2017 Regulations for reasons including:

the Licensee failed to take appropriate steps to identify and assess the risks of ML and TF
the Licensee failed to establish and maintain effective policies, procedure and controls
the Licensee failed to adequately take into account information made available to them by the supervisory authority (the Gambling Commission) under regulation 17(9).

Failure to comply with SRCP 3.4.1 paragraphs 1 and 2

SRCP (1) and (2) states:

“1. Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.".

Licensees must take into account the Commission’s guidance on customer interaction.”.

The Licensee accepted they were not in full compliance with SRCP 3.4.1 as follows:

paragraph 1a – May 2021 and 1 March 2022
paragraph 1b – January 2021 until 8 July 2021
paragraph 2 - January 2021 and 1 March 2022.

The Commission was concerned in particular with the following customer interaction failings regarding SRCP 3.4.1(1):

failure to identify customers who displayed markers of harm following a win such as an increase in sessions and stakes
customers were able to deposit and gamble high value bets at high velocity without company safer gambling controls activating due to a technical issue
failure to identify customers at risk or those disproportionately spending - for example, one customer was able to deposit and lose up to £3,000 per month which was more than their evidenced monthly salary
failure to recognise night play as a marker of harm due to its procedures not being correctly followed – one customer had a seven-hour session and admitted to being at work on nights with his phone on autoplay
failure to effectively interact with some customers by relying upon automated pop-ups
customer interactions did not effectively minimise the risk of customers experiencing harms associated with gambling. For example, one customer deposited £16,000 in total and had a net loss of £3224.74 over 41 days. The customer received multiple automated safer gambling popups and emails as well as receiving two alerts for their activity. The customer has a number of safer gambling chats which provided basic information to the agent’s questions and as a result the customer was able to continue gambling. The Licensee’s interactions were not effective in capturing the necessary information in order to make an assessment on whether an individual was at risk or not. The interactions that did take place were minimal and took the customer’s word at face value without any further scrutiny or attempt to seek further information to support decision making.

The Commission was also concerned the Licensee failed to take into account the Commission’s guidance on customer interaction, in accordance with SRCP 3.4.1(2) as:

there was no evidence to suggest high staking behaviour following a win had been taken into account as a potential marker of harm (CI Guidance – Sections 2.7f)

This regulatory settlement consists of:

£305,150 payment in lieu of a financial penalty, which will be directed towards socially responsible causes
agreement to the publication of a statement of facts in relation to this case
payment of £9,079.00 towards the Commission’s costs of investigating the case
agreement to conduct an independent third-party audit as regards the effective implementation of the Licensee's AML and safer gambling policies, procedures and controls within 12 months of the conclusion of the Licence Review.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors:

the nature of the breaches may mean other customers were affected that the Commission has not reviewed
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the Licensee was subjected to three compliance assessments which all identified failings resulting in a prolonged period of non-compliance
officials still identified failings following two periods of special measures.

Mitigating factors:

the Licensee has now taken steps to rectify the breaches highlighted
the Licensee has accepted the key failings
the Licensee has acted in a timely manner and been co-operative with the investigation.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and are findings adequately recorded?
do lessons learned from public statements flow into your policy and processes?
does your ML and TF risk assessment meet all the requirements?
are your customer risk profiles formed by or linked to your ML and TF risk assessment?
do you have sufficient processes and systems in place to identify and interact with customers displaying markers of harm?

Notes

¹ This varies for each licence condition and the dates for each one is detailed under the relevant sections

End of public statement

Mr Green Limited Public Statement

Published: 28 March 2023

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation followed a compliance assessment and resulted in the commencement of a section 116 regulatory review¹ of Mr Green Limited (the Licensee/MRG), Combined Remote Operating Licence number: 000-039264-R-319432-019². The regulatory review found failings in the Licensee’s processes which were aimed at safer gambling and preventing Money Laundering (ML).

Between May 2020³ and 18 October 2021, MRG failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

paragraphs 1, 2 and 3 of licence condition 12.1.1, requiring the conducting of an appropriate risk assessment, the implementation of appropriate policies and procedures and keeping such policies under review to ensure their effectiveness, all with the objective of preventing ML and Terrorist Financing (TF).
licence condition 12.1.2 requiring operators based in foreign jurisdictions to comply with the ML, TF and Transfer of Funds (Information of the Payer) Regulations 2017
paragraphs 1 and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction
paragraphs 1 and 2 of SRCP 3.9.1 requiring licensees to put into effect policies and procedures designed to identify separate accounts which are held by the same individual and where customers hold more than one account, the Licensee must have and put into effect procedures which enable them to relate each of a customer’s such accounts to each other.

The investigation and our subsequent regulatory review found:

failings in the Licensee’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation
certain customers who were the subject of AML restrictions on different brands were able to open account(s) with MRG.

We found that between 20 September 2020 and 22 October 2021 MRG had been in:

Breach of paragraph 1 of licence condition 12.1.1

The failings were that the Licensee’s risk assessment did not:

make explicit reference to specific risks in relation to TF
make specific reference to high monetary thresholds or organised crime gangs use of mule accounts⁴.

We found that between May 2020 and 18 October 2021 MRG had been in:

Breach of paragraphs 2 and 3 of licence condition 12.1.1

Licence condition 12.1.1 (2) states: “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

MRG accepted it breached this licence condition as:

there were weaknesses and shortcomings in relation to the adequacy and maintenance of its policies and procedures, and their implementation
its policies, procedures and controls lacked guidance on appropriate action to take following the results of customer profiling and how its findings should be used to establish the appropriate outcome
its procedures and controls lacked hard stops to prevent further spend and mitigate against ML risks before customer risk profiling is completed
certain customers were able to deposit large amounts of money without timely Enhanced Customer Due Diligence (ECDD) - a particular example included Customer A who deposited £52,985 before ECDD profiling.
a failure to resource due diligence teams sufficiently following a change in triggers resulted in a backlog of ECDD reviews to complete
it made assumptions that the fact certain customers were in a winning position reduced the risk for ML without gathering supporting evidence to support that assertion. In addition, for certain customers, the Licensee could not demonstrate it held adequate evidence or could not point to recorded decisions that allowed it to assert a customer’s recycling of winnings reduced the ML risk posed to the business
it placed an undue reliance on open-source information and should have taken further steps to corroborate the customer’s Source of Funds (SoF) information
AML staff training provided insufficient information on risks and how to manage them, in particular risks such as those associated with politically exposed person’s and high-risk jurisdictions
the Commission identified that certain customers were able to deposit large amounts of money without the Licensee conducting appropriate know your customer checks
- With Customer B, who deposited £73,535 and lost £14,068 in four months, the Licensee focused on the net worth of the companies with which the customer identified as being a director, rather than establishing personal income derived through a salary or dividend payments.

Breach of Paragraph 1 of licence condition 12.1.2 (Anti-money laundering measures for operators based in foreign jurisdictions)

Paragraph 1 of this condition has been in place since October 2016 and requires that:

“Licensees must comply with Parts 2 and 3 of the Money Laundering Regulations 2007 (UK Statutory Instrument No. 2157 of 2007) as amended by the Money Laundering (Amendment) Regulations 2007 (UK Statutory Instrument No. 3299 of 2007), or the equivalent requirements of any UK Statutory Instrument by which those regulations are amended or superseded insofar as they relate to casinos (the MLR) whether or not the MLR otherwise apply to their business”.

The Licensee accepts it breached this licence condition as the AML failings, set out above, constitute a breach of the 2017 Money Laundering Regulations, namely:

regulation 18 requires that the ‘relevant person’ take appropriate steps to identify and access the risks of ML and TF to which its business is subject
regulation 19 (1)(a) requires that the ‘relevant person’ must maintain policies, controls and procedures to mitigate and manage effectively the risks of ML and TF identified in any risk assessment undertaken by the relevant person
regulation 28 (11)(a) requires ongoing monitoring of a business relationship which includes, where necessary, checking source of funds to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile
regulation 33 imposes an obligation to apply ECDD measures and enhanced ongoing monitoring in any case identified as one where there is a high risk of ML or TF.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of criminal spend with the Licensee.

Failure to comply with Paragraph 1 and 2 of SRCP 3.4.1 (Customer Interaction)

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1 Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”

MRG accepted it was not fully in compliance with SRCP 3.4.1 as:

it failed to identify certain customers at risk of experiencing gambling related harm and checks should have been undertaken at a significantly earlier stage in the customer's journey:

customer C opened an account on 3 January 2021 and had deposited £23,000 in 24 hours because was no trigger in place to capture and prevent high velocity gambling without any interaction taking place
customer D opened an account on 16 March 2021 and lost £14,902 in 70 minutes, illustrating there was no effective trigger in place to capture and prevent high velocity gambling without any interaction

due to poor systems, and a lack of oversight across brands, there was no complete picture of a customer’s activity available to staff in order to identify risk from previous interactions or safeguards put in place
inadequate record keeping hampered the operator’s ability to decide how and when to interact with customers
it had insufficient controls in place to protect new customers, and to effectively consider high velocity spend and duration of play until the customer may have been exposed to the risk of substantial losses in a short period of time:
- customer E was allowed to open a new account and spend £32,500 over two days in January 2021 without any checks
- customer F was allowed to open a new account and spend £19,000 in 33 days over February and March in 2021 without any checks
- customer C was allowed to open a new account and spend £23,000 in 20 minutes on 3 January 2021 without any checks
- customer D was allowed to open an account and spend £18,000 in 24 hours on 3 January 2021 without any checks
there was a reliance from Licensee on email interactions when customers hit safer gambling alerts. Whilst the emails were not automated, they were not sufficiently tailored to customers’ individual circumstances.

Failure to comply with paragraph 1 and 2b of SRCP 3.9.1 (Identification of individual customers)

Paragraph 1 of SRCP 3.9.1 states:

“Licensees must have and put into effect policies and procedures designed to identify separate accounts which are held by the same individual”.

Paragraph 2b states:

“Where licensees allow customers to hold more than one account with them, the licensee must have and put into effect procedures which enable them to relate each of a customer’s such accounts to each of the others and ensure that: all of a customer’s accounts are monitored and decisions that trigger customer interaction are based on the observed behaviour and transactions across all the accounts”.

MRG accepted it was not fully in compliance with SRCP 3.9.1 as:

the Commission review revealed the Licensee failed to establish that at least four consumers had, or previously had, accounts, with WHG earlier enough in the customer journey. The linked accounts were discovered by MRG at the point it completed ECDD by which point significant amounts had been staked.

This regulatory settlement consists of:

a total payment of £3,750,000 in lieu of a financial penalty, which will be directed towards socially responsible purposes, which includes a divestment of £218,310.20
agreement to the publication of a statement of facts in relation to this case
agreement by the Licensee to vary its operating licence to add conditions to its operating licence, namely:
- to appoint a Board-level sponsor, either reporting directly to the Chair or the Executive Chair, to assume responsibility for compiling and progressing a 12-month action plan to deal with post case activity, and
- undertake a follow-up independent audit of relevant policies and procedures by 13 February 2024 to ensure whether it is effectively implementing its AML and safer gambling policies, procedures and controls, and that any further recommendations made by the independent audit should be implemented thereafter
payment of the Commission’s costs of conducting the review.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
there has been a repeated breach or failure by the operator or other group companies
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the nature of the breaches may mean other customers were affected that the Commission has not reviewed
the Licensee’s senior management should have been aware of governance issues that lead to the breaches, given their significance.

Mitigating factors

the extent of steps taken to remedy the breach - the Licensee implemented an early action plan to remedy its failings
the Licensee procedurally met the Commission’s timetable in respect of providing material and, where such material could not be provided within the expected time period, sought an extension.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
are your customer risk profiles informed by or linked to your money laundering and terrorist financing risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact, especially the level of detail provided?
have your staff received sufficient AML and social responsibility training?

Notes

¹ The Commission commenced its regulatory review on 30 September 2021

² Mr Green Limited trade under: Mr Green

³ There are some variances of starting date for breach, but they all fall within this common period. Specific variations from this date, include breach of paragraph 1 of Licence condition 12.1.1 which occurred between 20 September 2020 and 22 October 2021; Failing to comply with paragraphs 1 and 2 of SRCP 3.4.1 between 4 December 2020 and 18 October 2021; Paragraphs 1 and 2 of SRCP 3.9.1 between 4 December 2020 and 18 October 2021.

⁴ The AML Guidance and the Commission’s ML/TF risk assessment sets out a number of factors licensees must and should consider when undertaking their own ML/TF risk assessments. In addition, the Licensee is required, by virtue of Regulation 18(2)(a) of the Regulations, to take these documents into account when carrying out its own ML/TF risk assessment.

End of public statement

WHG (International) Limited Public Statement

Published: 28 March 2023

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation followed a compliance assessment and resulted in the commencement of a section 116 regulatory review¹ of WHG (International) Limited (the Licensee/WHG), Combined Remote Operating Licence number: 000-039225-R-319373-011².

The regulatory review found failings in the Licensee’s processes which were aimed at safer gambling and preventing Money Laundering (ML).

Between May 2020³ and 18 October 2021, WHG (International) Limited failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

licence condition 2.3.1 (Remote Technical Standards)
paragraphs 1, 2 and 3 of licence condition 12.1.1, requiring the conducting of an appropriate risk assessment, the implementation of appropriate policies and procedures and keeping such policies under review to ensure their effectiveness, all with the objective of preventing ML and Terrorist Financing (TF)
licence condition 12.1.2 requiring remote casino operators based in foreign jurisdictions to comply with the ML, TF and Transfer of Funds (Information of the Payer) Regulations 2017.
paragraphs 1 and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction
paragraphs 1a, 1c and 1d of SRCP 3.7.1 (Provision of Credit)
paragraph 2 of SRCP 3.9.1 requiring licensees to put into effect policies and procedures designed to identify separate accounts which are held by the same individual and where customers hold more than one account, the Licensee must have and put into effect procedures which enable them to relate each of a customer’s such accounts to each other.

Taking into account remedial action taken by the Licensee and in line with our Statement of principles for licensing and regulation, the Licensee will voluntarily make a payment in lieu of a financial penalty of £12,500,000, which includes a divestment of £284,361.57, and will vary its licence to add additional licence conditions.

The investigation and our subsequent regulatory review found:

failings in the Licensee’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation.

We found that between May 2020⁴ and 18 October 2021 the Licensee had been in:

Breach of paragraph 1 of licence condition 2.3.1

Licence condition 2.3.1, paragraph 1 states: “Licensees must comply with the Commission’s technical standards and with requirements set by the Commission relating to the timing and procedures for testing”

The Licensee accepted it was not fully in compliance with 2.3.1 as:

the Licensee failed to ensure organisation policies and procedures were in place within its trading rooms
in the trading rooms there was evidence that certain customer relationships lacked management oversight or control
a member of trading team staff who had knowledge of customer’s username and password, placed bets on the customer’s instruction on their online account.

Breach of paragraph 1 of licence condition 12.1.1

The failings were that the Licensee’s risk assessment did not:

make explicit reference to specific risks in relation to TF
make specific reference to use of third parties or agents obscuring the source of ownership of money gambled by customers, high monetary thresholds or organised crime gangs’ use of mule accounts⁵.

Breach of paragraphs 2 and 3 of licence condition 12.1.1

Licence condition 12.1.1 (2) states: “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

The Licensee accepted it breached this licence condition as:

there were weaknesses and shortcomings in relation to the adequacy and maintenance of its policies and procedures, and their implementation
its policies, procedures and controls lacked guidance on appropriate action to take following the results of customer profiling and how its findings should be used to establish the appropriate outcome
its procedures and controls lacked hard stops to prevent further spend and mitigate against AML risks before customer risk profiling is completed
certain customers were able to deposit large amounts of money without timely Enhanced Customer Due Diligence (ECDD) - a particular example included Customer A who had a net spend of £36,137 before ECDD profiling
failure to resource due diligence teams sufficiently following a change in triggers that resulted in a backlog of ECDD reviews to complete
it made assumptions the fact certain customers were in a winning position reduced the risk for ML without gathering supporting evidence to support that assertion. In addition, for certain customers the Licensee could not demonstrate it held adequate evidence or could not point to recorded decisions that allowed it to assert a customer’s recycling of winnings reduced the ML risk posed to the business
it placed an undue reliance on open-source information and should have taken further steps to corroborate the customer’s Source of Funds (SoF) information
there were weaknesses in the documented processes relating to management of a small number of accounts which were directly managed by the trading team
AML training delivered to staff provided insufficient information on risks and how they are managed
certain customers were able to deposit large amounts of money without the Licensee conducting appropriate know your customer checks:
- Customer B was able to deposit £71,427 and lose £70,134 without the Licensee having knowledge as to the SoF or occupation details
- Customer C was a winning customer who was allowed to place bets via the trading team with a lack of appropriate oversight. A lack of depth and frequency of ongoing account monitoring allowed the customer to place bets on behalf of unknown third parties posing a risk to the licensing objectives – the Licensee had information that strongly suggested Customer C was placing bets on behalf of others. The customer was in a winning position of circa £195,000 when the account was suspended in February 2021
- Customer D had lost £38,000 between 21 April 2021 and 27 May 2021. Although operator profiling established the customer was a sales director, no financial information was gathered
- Customer E, who registered on 12 March 2021, was able to deposit and lose £36,000 in four days. The Licensee acknowledged it should have acted sooner when the customer deposited and lost significant amounts in the first 24 hours.

Breach of paragraph 1 of licence condition 12.1.2 (Anti-money laundering measures for operators based in foreign jurisdictions)

Paragraph 1 of this condition has been in place since October 2016 and requires that:

The Licensee accepts it breached this licence condition as the AML failings, set out above, constitute a breach of the 2017 Money Laundering Regulations, namely:

regulation 18 required that the ‘the relevant person’ take appropriate steps to identify and access the risks of ML and TF to which its business is subject
regulation 19(1)(a) requires that the ‘relevant person’ must maintain policies, controls and procedures to mitigate and manage effectively the risks of ML and TF identified in any risk assessment undertaken by the relevant person
regulation 28 (11)(a) requires ongoing monitoring of a business relationship which includes, where necessary, checking source of funds to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile
regulation 33 imposes an obligation to apply ECDD measures and enhanced ongoing monitoring in any case identified as one where there is a high risk of ML or TF.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of criminal spend with the Licensee.

Failure to comply with paragraph 1 and 2 of SRCP 3.4.1 (Customer Interaction)

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1 Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”

The Licensee accepted it was not fully in compliance with SRCP 3.4.1 as:

it failed to identify certain customers who were at risk of experiencing gambling related harm, failed to carry out checks at a significantly earlier stage with those customers, and failed to intervene in relevant circumstances

Customer F opened his account on 15 February 2021 and met a £7,500 ECDD threshold trigger on 19 February 2021, but due to a backlog, a customer profile was not completed until 17 March 2021. During those four weeks, the customer lost £54,252 but the operator did not seek income evidence, carry out adequate checks, or use any other effective method to identify risk of harm. The Licensee accepts there was a lack of interaction early enough in the customer journey

its system was not operating as it should have and allowed customers to exceed the thresholds it had previously implemented without interactions occurring and without any technical restriction or block
inadequate record keeping hampered the operator’s ability to decide how and when to interact with customers
insufficient controls exposed new or returning customers to the risk of substantial losses in a short period of time:

Customer G opened his account and lost £11,400 over the first 30 days without being subject to sufficient checks to minimise the risk of gambling related harm
Customer H did not have a telephone interaction until losses had reached £45,800

there was a reliance on automated email interactions when customers hit safer gambling alerts, and more should have been done to evaluate the effectiveness of those interactions.

Failure to comply with paragraphs 1a, 1c and 1d of SRCP 3.7.1 (Provision of Credit)

Paragraph 1a of SRCP states:

“Licensees who choose to offer credit to members of the public who are not themselves gambling operators must also:

a. have procedures for checking and scoring applications for credit from such customers, for setting, and for the increase of, credit limits

Paragraph 1c of SRCP 3.7.1 states:

c. set a maximum credit limit for each customer and not permit customers to exceed that limit without further application

Paragraph 1d of SRCP 3.7.1 states licensees must:

d. apply a 24-hour delay between receiving a request for an increase in a credit limit and granting it in those cases where the limit exceeds that which the operator previously set”

The Licensee accepted it was not fully in compliance with SRCP 3.7.1 as:

Customer C was allowed to immediately place a £100,000 bet when his credit limit had been set at £70,000
there were weaknesses in its documented processes relating to a small number of credit accounts.

Failure to comply with paragraph 2a of SRCP 3.9.1 (Identification of individual customers)

Paragraphs 2a of SRCP 3.9.1 state:

“2. Where licensees allow customers to hold more than one account with them, the licensee must have and put into effect procedures which enable them to relate each of a customer’s such accounts to each of the others and ensure that:

a. if a customer opts to self-exclude, they are effectively excluded from all gambling with the licensee unless they make it clear that their request relates only to some forms of gambling or gambling using only some of the accounts they hold with the licensee”

The licensee accepted it was not fully in compliance with SRCP 3.9.1 as:

ineffective controls allowed 331 customers to gamble with WHG (International) Limited despite them having self-excluded with another operator within the Group, Mr Green Limited. Such customers had self-excluded with Mr Green prior to its acquisition by William Hill.

This regulatory settlement consists of:

a total payment of £12,500,000 in lieu of a financial penalty, which will be directed towards socially responsible purposes, which includes a divestment of £284,361.57
agreement to the publication of a statement of facts in relation to this case
agreement by the Licensee to vary its operating licence to add conditions to its operating licence, namely:
- to appoint a Board-level sponsor, either reporting directly to the Chair or the Executive Chair, to assume responsibility for compiling and progressing a 12-month action plan to deal with post case activity, and
- undertake a follow-up independent audit of relevant policies and procedures by 13 February 2024 to ensure whether it is effectively implementing its AML and safer gambling policies, procedures and controls, and that any further recommendations made by the independent audit should be implemented thereafter
payment of the Commission’s costs of conducting the review.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
there has been a repeated breach or failure by the operator or other group companies
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the nature of the breaches may mean other customers unknown to the Commission were affected
the Licensee’s senior management should have been aware of governance issues that lead to the breaches, given their significance.

Mitigating factors

the extent of steps taken to remedy the breach - the Licensee implemented an early action plan to remedy its failings
the Licensee procedurally met the Commission’s timetable in respect of providing material and, where such material could not be provided within the expected time period, sought an extension
early and voluntary reporting of breaches to the Commission - the Licensee reported early and voluntary breaches to the Commission⁶ .

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you ensure organisation policies and procedures are effective within your trading room?
do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
are your customer risk profiles informed by or linked to your money laundering and terrorist financing risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact, especially the level of detail provided?
have your staff received sufficient AML and social responsibility training?

Notes

¹ The Commission commenced its regulatory review on 30 September 2021

² WHG (International) Limited trade under: William Hill Online

³ There are some variances of starting date for breach, but they all fall mainly within this common period. Specific variations from this date, include breach of licence condition 2.3.1 occurred during an unknown time period between December 2020 and February 2021; breach of paragraph 1 of licence condition 12.1.1 which occurred between 20 September 2020 and 22 October 2021. The Licensee also failed to comply with SRCP 3.4.1 between 4 December 2020 and 18 October 2021; SRCP 3.7.1 between 7 February 2021 and 12 February 2021; SRCP 3.9.1 between June 2021 to October 2021

⁴ Subject of variations detailed at footnote 3

⁵ The AML Guidance and the Commission’s ML/TF risk assessment sets out a number of factors licensees must and should consider when undertaking their own ML/TF risk assessments. In addition, the Licensee is required, by virtue of regulation 18(2)(a) of the Regulations, to take these documents into account when carrying out its own ML/TF risk assessment.

⁶ The Licensee reported early and voluntary breaches to the Commission which related to matters detailed in Finding 1 (Remote technical standard requirements under A.7.2.2); Finding 6 (SRCP 3.7.1); and Finding 7 (SRCP 3.7.1).

End of public statement

William Hill Organization Limited Public Statement

Published: 28 March 2023

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation followed a compliance assessment and resulted in the commencement of a section 116 regulatory review¹ of William Hill Organization Limited (WH Retail / the Licensee), Combined Non-Remote Operating Licence number: 000-002752-N-102413-014.

The regulatory review found failings in the Licensee’s processes which were aimed at preventing Money Laundering (ML), and safer gambling.

Between 1 January 2020 and 18 October 2021², the Licensee failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

paragraphs 1, 2 and 3 of licence condition 12.1.1, requiring the conducting of an appropriate risk assessment, the implementation of appropriate policies and procedures and keeping such policies under review to ensure their effectiveness, all with the objective of preventing ML and Terrorist Financing (TF)
paragraphs 1 and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction.

Taking into account remedial action taken by the Licensee and in line with our Statement of principles for licensing and regulation, the Licensee will voluntarily make a payment in lieu of a financial penalty of £2,999,850 which includes a divestment of £244,026.95, and will vary its licence to add additional licence conditions.

The investigation found:

failings in the Licensee’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation
weaknesses in its reporting arrangements.

We found that, between January 2020 and 18 October 2021, the Licensee had been in:

Breach of paragraph 1 of licence condition 12.1.1

Breach of paragraph 1 of licence condition 12.1.1, which states: “Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.”

The failings were that the Licensee’s risk assessment did not:

make explicit reference to specific risks in relation to TF.
make specific reference to risks associated with customer bank account changes, risks of fraudulent or dyed notes or business risks in the geographical risk section³
mention how the Licensee monitors customers who place bets in multiple betting offices, how this was reviewed and the mitigations in place.

Breach of paragraphs 2 and 3 of licence condition 12.1.1

Licence condition 12.1.1 (2) states: “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

The Licensee accepted:

weaknesses and shortcomings in relation to the adequacy and maintenance of its policies and procedures, and their implementation
certain customers identified by the Commission were able to stake large amounts of money without being monitored or scrutinised to the standard expected by the Commission:

a customer profile was compiled for Customer A after the customer had gambled £34,000 and lost £16,000 between 20 May and 1 June, 2021. Despite staking a £19,000 in a single bet no Source of Funds (SoF) evidence was requested
customer B staked £39,324 and lost £20,360.67 between 16 and 28 October 2020. No documentation was obtained by the Licensee which would support levels of gambling spend to mitigate the ML risk of high spend taking place over a short period of time
customer C staked a total of £276,942 with a total loss of £24,395 between 17 August and 16 October 2020. SoF evidence was requested on 12 October 2020, however, to date no evidence has been seen by the Licensee
the Licensee acknowledged that AML thresholds have since been revised and has confirmed that it has since amended its bet acceptance process

in relation to certain customers identified by the Commission, it placed over-reliance on recycled winnings
in particular cases, the Licensee failed to appropriately track customers across multiple Licensed Betting Offices (LBOs). The Commission found instances where the Licensee could have more effectively tracked customers across its LBO estate using information available to it. The Commission recognises the challenges of tracking customers using multiple premises in the non-remote Licensed betting offices.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of criminal spend with the Licensee.

Failure to comply with Paragraph 1 and 2 of SRCP 3.4.1 (Customer Interaction)

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1 Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”

The Licensee accepted it was not fully in compliance with SRCP 3.4.1 as:

with certain customers, the Licensee did not identify changes in the customer behaviour which should have provoked consideration of whether the customer was experiencing harm:

a safer gambling interaction was conducted with Customer D only after he had placed and had accepted an £18,000 bet - no interaction took place when accepting his bet as the Commission would have expected
Customer A usually places small stakes but then placed a £19,000 bet. Although a safer gambling interaction was conducted during which he stated he was ‘fine with his spend’, the Licensee failed to proactively further consider him from a responsible gambling prospective

it had insufficient controls in place to protect new customers, and to effectively consider high velocity spend and duration of play until the customer may have been exposed to the risk of substantial losses in a short period of time:

after its retail premise had been re-opened following the Covid pandemic lockdown, the Licensee allowed Customer F to lose £10,600 in two days without a safer gambling interaction.
despite being unknown and staking £42,253 in 130 bets over a three-day period, staff did not identify Customer G as being at risk of experiencing harms associated with gambling or undertake any customer interactions

in particular cases, the Licensee did not conduct interactions with customers who may be at risk of experiencing harm early enough in the customer journey
there was a lack of evidence of evaluation of the effectiveness of individual customer interactions and a lack of record keeping limited staff in properly tailoring their interactions with historic interactions in mind.

This regulatory settlement consists of:

a total payment of £2,999,850 in lieu of a financial penalty, which will be directed towards socially responsible purposes, which includes a divestment of £244,361.57
agreement to the publication of a statement of facts in relation to this case
agreement by the Licensee to vary its operating licence to add conditions to its operating licence, namely:
- to appoint a Board-level sponsor, either reporting directly to the Chair or the Executive Chair, to assume responsibility for compiling and progressing a 12-month action plan to deal with post case activity, and
- undertake a follow-up independent audit of relevant policies and procedures by 13 February 2024 to ensure whether it is effectively implementing its AML and safer gambling policies, procedures and controls, and that any further recommendations made by the independent audit should be implemented thereafter
payment of the Commission’s costs of conducting the review.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
there has been a repeated breach or failure by the operator or other group companies
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the Licensee’s senior management should have been aware of governance issues that lead to the breaches, given their significance.

Mitigating factors

the extent of steps taken to remedy the breach – the Licensee implemented an action plan to remedy its failings
the Licensee procedurally met the Commission’s timetable in respect of providing material and, where such material could not be provided within the expected time period, sought an extension.

Good Practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact, especially the level of detail provided?
have your staff received sufficient AML and social responsibility training?

Notes

¹ The Commission commenced its regulatory review on 30 September 2021.

² There is one variance from the breach date listed - Paragraph 1 of licence condition 12.1.1 was breached between 1 January 2020 and 2 May 2022.

³ The AML Guidance and the Commission’s ML/TF risk assessment sets out a number of factors licensees must and should consider when undertaking their own ML/TF risk assessments. In addition, the Licensee is required, by virtue of Regulation 18(2)(a) of the Regulations, to take these documents into account when carrying out its own ML/TF risk assessment.

End of public statement

Blue Star Planet Limited Public Statement

Published: 16 February 2023

Operators are expected to consider the issues outlined above and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation resulted in the commencement of a section 116 regulatory review¹ of Blue Star Planet Limited, Combined Remote Operating Licence Number: 000-043173-R-322899-020.

The regulatory review found failings in Blue Star Planet Limited’s processes which were aimed at preventing Money Laundering (ML) and protecting vulnerable people. These failings were identified following a compliance assessment that was conducted by Commission Officials on 22, 23, 24 and 25 June 2021.

Between November 2019 and June 2021, Blue Star Planet Limited failed to comply with the following Licence Conditions and Codes of Practice (LCCP):

paragraphs 1, 2 and 3 of licence condition 12.1.1, requiring compliance with the prevention of money laundering and terrorist financing
licence condition 12.1.2 requiring operators based in foreign jurisdictions to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information of the Payer) Regulations 2017 (the 2017 Regulations)
paragraph 1a of licence condition 8.1.1, requiring licensees providing facilities for remote gambling to display on every screen from which customers are able to access gambling facilities provided in reliance on this licence a statement that they are licensed and regulated by the Gambling Commission
paragraphs 1b, 1c and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction.

Considering remedial action taken by Blue Star Planet Limited and in line with our Statement of principles for licensing and regulation, Blue Star Planet Limited will pay a total of £620,000 in lieu of a financial penalty.

The investigation and our subsequent regulatory review found:

failings in Blue Star Planet Limited’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation
weaknesses in its reporting arrangements.

We found that between November 2019 and June 2021, Blue Star Planet Limited had been in:

Breach of paragraph 1 of license condition 12.1.1

Blue Star Planet Limited accepted its AML Risk Assessment (the Risk Assessment) was inadequate in certain areas and did not explicitly acknowledge:

certain high-risk factors deemed by the Commission to be relevant under Regulation 33 of the 2017 Regulations(opens in new tab)
certain customer risks specifically mentioned at paragraph 2.22 of the Commission’s guidance on anti-money laundering (opens in new tab) ‘The prevention of money laundering and combating the financing of terrorism – Guidance for remote and non-remote casinos’ (AML Guidance).

Breach of paragraph 2 of license condition 12.1.1

Blue Star Planet Limited accepted that at the time of the Assessment:

the financial controls in place to automatically limit the amount customers could deposit were too high and that, as a consequence, its policies and procedures were not implemented effectively or appropriately in accordance with licence condition 12.1.1(2)
the financial limits put in place to control how much more a customer could deposit and gamble after reaching an AML risk alert, and before satisfactory risk profiling could take place, were set too high
some customers were permitted to deposit significant amounts of money (up to the cumulative deposit limit) in a short period of time before satisfactory risk profiling (and any manual restrictions) could occur.

Breach of paragraph 3 of licence condition 12.1.1

Blue Star Planet Limited accepted that, at the time of the Assessment:

some customers were able to gamble at high velocity before automated restrictions were applied to the customer’s account
there were instances where SoF evidence should have been requested from some customers at an earlier stage in the business relationship
some of its customers who had received an interaction should have been restricted from further play due to ML / TF risks that were presented
the financial deposit limits were too high and, as a result, were not effective in controlling high velocity spend and permitted some customers to exceed AML risk thresholds that were in place.

Breach of paragraph 1 of licence condition 12.1.2 (Anti-Money Laundering Measures for operators based in foreign jurisdictions)

Paragraph 1 of this condition has been in place since October 2016 and requires that: “Licensees must comply with Parts 2 and 3 of the Money Laundering Regulations 2007 (UK Statutory Instrument No. 2157 of 2007) as amended by the Money Laundering (Amendment) Regulations 2007 (UK Statutory Instrument No. 3299 of 2007), or the equivalent requirements of any UK Statutory Instrument by which those regulations are amended or superseded insofar as they relate to casinos (the MLR) whether or not the MLR otherwise apply to their business”.

Blue Star Planet Limited accepted:

it was in breach of licence condition 12.1.2 on the basis of the conditions detailed at sections 1 to 3.

Breach of licence condition 8.1.1 (Display of Licensed Status)²

Licence condition 8.1.1 states:

“1 Licensees providing facilities for remote gambling must display on every screen from which customers are able to access gambling facilities provided in reliance on this licence:

a. a statement that they are licensed and regulated by the Gambling Commission.
b. their account number.
c. a link (which will be supplied by the Commission) to their current licensed status as recorded on the Commission’s website.

2 Such statement, account number and link must be in the format, provided by the means, and contain the information from time to time specified by the Commission in its technical standards applicable to the kind of facilities for gambling provided in accordance with this licence or otherwise notified to licensees for the purposes of this condition.

3 Licensees may also display on screens accessible from Great Britain information about licences or other permissions they hold from regulators in, or by virtue of the laws of, jurisdictions outside Great Britain provided it is made plain on those screens that the licensee provides facilities for gambling to persons in Great Britain in reliance on their Gambling Commission licence(s).”

Blue Star Planet Limited accepted that, at the time of the Assessment:

a link on its website did not work however, upon identification this was immediately corrected.

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1 Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling.
b. interacting with customers who may be at risk of or experiencing harms associated with gambling.
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach”.

2 Licensees must take into account the Commission’s guidance on customer interaction.”

Blue Star Planet Limited accepted, at the time of the Assessment:

it did not employ dedicated compliance staff to monitor safer gambling alerts overnight. Customers who reached safer gambling triggers overnight would be manually reviewed the following day
as a result of the need for manual review and there being no overnight monitoring of safer gambling alerts some customers were permitted to hit several safer gambling triggers without risk assessments and interactions occurring in real time
it did not implement high-velocity risk alerts which permitted some customers to spend at high velocity without interactions happening in real time
the financial risk alerts in place at the time of the Assessment failed to give adequate consideration to average discretionary income data and failed to identify customers at the earliest opportunity. It recognises that the safer gambling controls failed to prevent some customers from spending significant amounts of money over short periods of time, before interactions or interventions occurred based on meaningful assessments of the risks presented. Further, while interactions and interventions did occur, it is accepted that these did not occur in real-time (and generally occurred one day later)
it could have better evidenced how customer interactions were evaluated for their effectiveness
it did not act quickly enough to identify and interact with two customers reviewed by Officials during the Assessment, despite both exhibiting signs of potentially problematic gambling.

This regulatory settlement consists of:

£620,000 payment in lieu of a financial penalty, which will be directed towards socially responsible causes.
agreement to the publication of a statement of facts in relation to this case.
payment of £3,571.25 towards the Commission’s costs of investigating the case.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the need to encourage compliance among other operators
the nature of the breaches may mean other customers were affected that the Commission has not reviewed
Blue Star Planet Limited’s senior management should have been aware of governance issues that lead to the breaches.

Mitigating factors

the extent of steps taken to remedy the breach
Blue Star Planet Limited’s early recognition of its failings
the Licensee has been co-operative throughout its dealings with the Commission.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and are findings adequately recorded?
do you efficiently record all compliance-related decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
are your customer risk profiles formed by or linked to your money laundering and terrorist financing risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact especially in terms of the level of detail provided?
do you have out of hours arrangements in place?
have your staff received sufficient AML and SR training?

Notes

¹ The Commission commenced its section 116 review on 7 September 2021.

² Although the Licensee accepts the breach, it remains of the view that an isolated incident of a single broken website link should not warrant a finding that it breached licence condition 8.1.1.

End of public statement

Vivaro Limited Public Statement

Published: 17 January 2023

Operators are expected to consider the issues outlined as follows and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure gambling facilities are provided in compliance with the Gambling Act 2005 (the Act), the conditions of their licence, and in accordance with the licensing objectives, which are to:

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair and open way
protect children & other vulnerable people from being harmed or exploited by gambling.

This investigation followed a compliance assessment carried out in April 2021 and resulted in the commencement of a section 116 regulatory review1 of Vivaro Limited (Vivaro), Combined Remote Operating Licence number: 000-044662-R-324273-017.

The regulatory review found failings in Vivaro’s processes which were aimed at preventing Money Laundering (ML) and safer gambling.

Between October 2020 and June 2021 Vivaro failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

paragraphs 2 and 3 of Licence condition 12.1.1, requiring the prevention of money laundering and terrorist financing
Licence Condition 12.1.2 requiring operators based in foreign jurisdictions to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information of the Payer) Regulations 2017
paragraphs 1 and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction.

In line with our Statement of principles for licensing and regulation, Vivaro will make payments in lieu of a penalty package of £337,631. A breakdown of the regulatory settlement is set out in the following sections.

The investigation, and our subsequent regulatory review, found:

failings in Vivaro’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation.

We found that between October 2020 and June 2021, Vivaro had been in breach of the following licence conditions and Social Responsibility Code Provisions:

Breach of licence condition 12.1.1.2 and 12.1.1.3

Licence condition 12.1.1 (2) states that “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

Vivaro accepted it breached these licence conditions for the following reasons:

customers were able to deposit a significant sum of money before ‘know your customer’ (KYC) checks were carried out
Vivaro did not provide sufficient guidance within its policies or procedures as to how staff should verify Source Of Funds (SOF) and what supporting documents should be requested
AML trigger levels were considered too high, based on the average level of customer spend, and were therefore not appropriate to effectively manage associated ML risk
customers reviewed during the compliance assessment were subject to AML checks which were ineffective in establishing the SOF being used for gambling, bank statements were not scrutinised to identify other income and a reliance was placed on winnings from other operators. One Customer was able to deposit £14,850 within two months with insufficient SOF being established. It is the Commission's view that whilst some checks were conducted, these were not sufficient until the customer had met the ‘Very High AML Threshold’ set by the Licensee. It is the Commission's view that Vivaro were over reliant on the customer’s net gambling position. Another customer provided a bank statement showing a balance of over £270,000 said to be winnings from other betting account. Vivaro failed to sufficiently consider the risks associated with recycled winnings. In particular, no additional checks were undertaken to confirm the origin of the funds that had been used to gamble. Customers could be misappropriating funds and re-depositing fresh criminal spend
the Licensee did not sufficiently consider the risks associated with funds a customer used to gamble that had originated from crypto currency. Crypto currency is considered high risk by Commission Officials and should be subject to further investigation.

The Commission’s review of the specific customers identified during the Compliance assessment found no evidence of criminal spend with the Licensee.

Breach of licence condition 12.1.2.1

Paragraph 1 of this condition has been in place since October 2016 and requires that:

The Licensee accepts it breached this licence condition as the AML failings, set out above, constitute a breach of the 2017 Money Laundering Regulations, namely:

Regulation 19 (1)(a) requires that the ‘relevant person’ must maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person
Regulation 24 (a) imposes a relevant person must take appropriate measures to ensure that its relevant employees are made aware of the law relating to money laundering and terrorist financing, and to the requirements of data protection, which are relevant to the implementation of these Regulations; and regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing
Regulation 28 (11)(a) requires ongoing monitoring of a business relationship which includes, where necessary, checking source of funds to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile.

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1 Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling.
b. interacting with customers who may be at risk of or experiencing harms associated with gambling.
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”.

Vivaro accepted it was not fully in compliance with SRCP 3.4.1 as:

it had insufficient control in place to protect new customers, and to effectively consider high velocity spend and duration of play until the customer reached a ‘higher tier’ AML Trigger. In one example a customer was allowed to deposit and lose £4000 within a 4-day period
it did not have sufficient resourcing of its KYC agents to manage requirements in respect of identifying customers at risk and undertake customer interactions. The automatic system suspension was in relation to financial triggers only; and that it did not sufficiently resource other risk factors
it did not have sufficient resourcing or effective automatic blocking to manage requirements in respect of customer interactions. Commission Officials consider that the licensee would have been able to act more promptly and tailor interactions more appropriately (such as telephone calls) if there were sufficient staff resources
there was a reliance from Vivaro on email interactions when customers hit safer gambling alerts. Whilst the emails were not automated, they were not sufficiently tailored to the customers’ individual circumstances
there was a poor level of recording by Vivaro, as well as no evaluation of customer use and impact of responsible gambling tools and/or customer interactions for their effectiveness. One Customer with a salary of £5,000 a month, was able to deposit £20,000 between 09 September 2020 and 05 February 2021- this amounted to circa 80% of the customers salary and the Licensee did not sufficiently review this level of spend.

A regulatory settlement package of £337,631 has been agreed, which consists of the following elements:

a payment in lieu of a financial penalty of £302,500 which will go to National Responsible Gambling Strategy project(s) to pay for research and treatment as determined appropriate to address the risk of harmful gambling
divestment of £35,131
the voluntary placing of additional condition on Vivaro’s’ operating licence under section 117(1)(b) of the Act, requiring the licensee to:

undertake a third-party audit within 12 months of the conclusion of the review. The purpose of the audit is to examine whether the Licensee is effectively implementing its anti-money laundering and social responsibility policies, procedures and controls in accordance with its regulatory requirements
provide the Commission with a copy of the Audit report within 5 working days of it being received by it.

agree to the publication of a statement of facts by the Commission
payment of £15,606.50 towards our investigative costs.

Conclusion

Our investigation found, and Vivaro accepts, that there were significant weaknesses in its systems relating to how it managed its customers for AML and social responsibility purposes.

In determining the appropriate outcome, we took the following factors into account:

there were significant licence condition breaches for a sustained period of time. This impacted the licensing objectives, particularly preventing gambling from being used to support crime, and protecting vulnerable persons from being harmed or exploited by gambling
proactive and timely action taken by Vivaro to address all the issues identified
Vivaro being open and transparent from the outset of the investigation and fully co-operative throughout
the nature of Vivaro’s business, including their financial resources.

Good Practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should also consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
are your customer risk profiles informed by, or linked to, your money laundering and terrorist financing risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact, especially the level of detail provided?
have your staff received sufficient AML and SR training?

End of public statement

Spreadex Limited Public Statement

Published: 25 August 2022

Key failings:

breach of licence condition 12.1.1 paragraphs 1, 2 and 3 - Prevention of Money Laundering and Terrorist Financing
failure to act in accordance with Ordinary Code Provision (OCP) 2.1.1 – Anti-Money Laundering (Casino)
failure to comply with Social Responsibility Code Provision 3.4.1 paragraph 1 and 2 - Customer Interaction.

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure their gambling facilities are provided in compliance with the Gambling Act 2005 (opens in new tab) (the Act) and the conditions of their licence, and in accordance with the licensing objectives, which are to:

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, safe and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation resulted in the commencement of a section 116 regulatory review of Spreadex Limited (Spreadex), Combined Remote Operating Licence number: 000-008835-R-104580-017. The Commission commenced its regulatory review on 2 June 2021, following concerns identified in a compliance assessment conducted in May 2021.

The regulatory review found failings in Spreadex’s procedures which were aimed at preventing Money Laundering (ML) and protecting vulnerable people.

Between January 2020 and May 2021 Spreadex breached its Licence Conditions and Codes of Practice (LCCP), specifically:

paragraphs 1, 2 and 3 of licence condition 12.1.1, requiring the prevention of money laundering and terrorist financing. This includes its failure to act in accordance with the Commission’s guidance: The Prevention of Money Laundering and Combating the Financing of Terrorism - Guidance for remote and non-remote casinos OCP 2.1.1 – Anti-Money Laundering (Casino)
paragraphs 1 and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Commission’s guidance on customer interaction.

Taking into account remedial action taken by Spreadex and in line with our Statement of Principles for licensing and regulation, Spreadex will pay a total of £1,363,786 in lieu of a financial penalty.

The investigation and our subsequent regulatory review found:

failings in Spreadex’s implementation of anti-money laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation.

Breach of paragraph 1 of licence condition 12.1.1

Licence condition 12.1.1(1) states, “Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.”.

The Commission found, and Spreadex acknowledged, that its Money Laundering and Terrorist Financing Risk Assessment (ML and TF RA) was not fully compliant with licence condition 12.1.1 (1). In particular:

it had not been reviewed and updated on an annual basis as required, and did not take into account and adequately consider information on the risks of ML and TF made available in Commission publications
it did not acknowledge and assess all the relevant customer, product and geographical risk factors.

Breach of paragraph 2 of licence condition 12.1.1

Licence condition 12.1.1(2) states “Following completion of and having regard to the risk assessment, and any review of the assessment, Licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”.

The Commission found, and Spreadex acknowledged, that it was not fully compliant with licence condition 12.1.1(2). In particular:

there were weaknesses and shortcomings in relation to the adequacy and maintenance of its AML policies, procedures and controls
certain customers were able to deposit large amounts of money without sufficient interaction being triggered, such as a Source of Funds (SOF) check.

As examples, the Commission’s concerns included:

ineffective Enhanced Customer Due Diligence (ECDD) triggers allowed customers to deposit large sums of money before the first AML review was undertaken
the level of information obtained and verified by the Licensee did not increase in line with customer ML risk levels. In one case, a customer who met a £25,000 financial deposit alert, had the alert for further review increased to £100,000 based on a self-declaration of income and an open-source check
over reliance on electronic verification checks without obtaining additional independent evidence from reliable sources.

Breach of paragraph 3 of licence condition 12.1.1

The Commission found, and Spreadex acknowledged, that its policies, procedures and controls were not fully compliant with licence condition 12.1.1(3). In particular, the Licensee:

failed to critically review SOF documentation and was over reliant on electronic checks
did not have in place sufficient staff to respond to financial triggers in a timely fashion and to adequately mitigate the risk.

As examples, the Commission’s concerns included:

a customer who was able to continue depositing after providing redacted bank statements in response to a request for evidence of SOF
a customer who was able to deposit £365,000 and lose £284,000 over a period of 3 months without SOF being sufficiently established.

The Commission’s review of the specific customers identified during the Compliance assessment found no evidence of criminal spend with the Licensee.

Failure to consider Ordinary Code Provision (OCP) 2.1.1 – Anti-money Laundering (Casino)¹

The findings set out at 1 to 3 occurred, to an extent, because Spreadex had failed to sufficiently take into account the Commission’s AML guidance. OCP 2.1.1, states: “In order to help prevent activities related to money laundering and terrorist financing, licensees should act in accordance with the Commission’s guidance on anti-money laundering: The Prevention of Money Laundering and Combating the Financing of Terrorism - Guidance for remote and non-remote casinos.

Social Responsibility Code Practice (SRCP 3.4.1) at paragraphs 1 and 2 states “Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”.

The Commission found, and Spreadex acknowledged, that its policies and processes were not fully compliant with SRCP 3.4.1 (1) and (2). In particular:

its financial alerts were ineffective and allowed customers to lose significant amounts over a short period of time
it placed an overreliance on financial alerts to identify customers at potential risk of experiencing harms
it did not sufficiently record and evaluate its customer interactions.

As an example, the Commission’s concerns included a customer who was able to deposit £1.7 million and lose £500,000 during the course of a one month period. Customer interactions had taken place but they had not been sufficiently evaluated, and did not include considering the effectiveness of restricting the account.

This regulatory settlement consists of:

£1,363,786 payment in lieu of a financial penalty, which will be directed towards socially responsible purposes
agreement to the publication of a statement of facts in relation to this case
payment towards the Commission’s costs of investigating the case of £7,831.00.

In considering an appropriate resolution to this investigation, the Commission had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
that the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the need to encourage compliance among other operators
the nature of the breaches may mean other customers were affected that the Commission has not reviewed.

Mitigating factors

Spreadex showed insight into the seriousness of the breaches and self-suspended its casino actives for 5 months to mitigate risk
Spreadex provided an action plan immediately following the Compliance Assessment and took effective action to expand and improve its compliance capacity
Spreadex and its senior managers cooperated with the Commission in a timely and transparent manner
Spreadex made an early offer of a regulatory settlement.

Good practice

Gambling operators should take account of failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure the types of interaction are effective?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact especially in terms of the level of detail provided?

¹OCP do not have the status of licence conditions but set out good practice. Any departure from OCP provision by an operator may be considered by the Commission as part of a licence review.

²Compliance with an SRCP is a condition of the licence by virtue of section 82(1) of the Act.

End of public statement

Ladbrokes Betting & Gaming Limited Public Statement

Published: 17 August 2022

This licensee is part of the Entain Group (Entain) (formerly named the GVC group) of companies.

Operators are expected to consider the issues outlined as follows and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure gambling facilities are provided in compliance with the Gambling Act 2005 (opens in new tab) (the Act), the conditions of their licence and in accordance with the licensing objectives, which are to:

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation followed a compliance assessment and resulted in the commencement of a section 116 regulatory review¹ of Ladbrokes Betting & Gaming Limited (LBG), Combined Non-Remote Operating Licence number: 001611-N-102408-022. The regulatory review found failings in LBG’s processes which were aimed at preventing Money Laundering (ML) and safer gambling.

Between December 2019 and October 2020 LBG failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

paragraphs 2 & 3 of licence condition 12.1.1 – Prevention of money laundering and terrorist financing
paragraphs 1 & 2 of Social Responsibility Code Provision (SRCP) 3.4.1 – Customer Interaction.

Taking into account remedial action taken by LBG and in line with our Statement of Principles for licensing and regulation, LBG will voluntarily divest itself of £212,849.86 and pay £2,787,150.14 in lieu of a financial penalty resulting in a total payment of £3,000,000.

The investigation and our subsequent regulatory review found:

failings in LBG’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation
weaknesses in its reporting arrangements.

We found that, between December 2019 and October 2020, LBG had been in breach of the following licence conditions and Social Responsibility Code Provisions:

Breach of paragraphs 2 and 3 of licence condition 12.1.1

Licence condition 12.1.1 (2) states: “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

LBG accepted:

weaknesses and shortcomings in relation to the adequacy and maintenance of its policies and procedures, and their implementation
certain customers identified by the Commission were able to stake large amounts of money without having been monitored or scrutinised to the standard expected by the Commission

customer G was a high staking cash customer who regularly loaded cash of £500 or more onto shop terminals. This customer placed their first bet on 10 January 2020 and staked circa £168,000 in the proceeding eight months, losing a total of circa £28,000. They were not considered by the Licensee for AML checks, largely due to not being referred for review by shop staff and not hitting the Licensee’s AML threshold triggers. The Licensee acknowledged that it did not commence due diligence checks in relation to this customer until it conducted a review as part of its Governance process in September 2020
customer H’s last 12-month stakes were £440,474 with losses of £68,867 over the same period. The Licensee acknowledged that further formal AML thresholds and checkpoints would have been appropriate in respect of stake levels and has confirmed that it has since amended its approach.

in relation to certain customers identified by the Commission, it placed overreliance on recycled winnings
in particular cases, despite training, local staff or area managers could have escalated potential concerns sooner.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of criminal spend with the Licensee.

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1 Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”.

LBG accepted it was not fully in compliance with SRCP 3.4.1 as:

it was slow to interact or did not interact with certain customers in a way which minimised their risk of experiencing harms associated with gambling:

in July 2020 customer I staked £29,372 and lost £11,345 (a third of their 12-month loss). This was the customer’s highest monthly stakes since becoming a monitored shop customer and a loss figure that was significantly higher than any previous recorded monthly losses. The customer was not escalated for a safer gambling review by either the shop or support office teams.

in particular cases, despite training, local staff or area managers could have escalated potential concerns sooner:

customer J was able to stake £173,285 and lost £27,753 between October 2019 and October 2020
customer K who was known to be a delivery driver was able to lose £17,000 between October 2019 and October 2020.

whilst it was evaluating the adequacy of certain individual customer interactions, it should have conducted such evaluation to a higher standard and recorded the same more clearly:

the Licensee accepted this failing was relevant in its evaluation of customer L who staked £218,765 and lost £44,597 between October 2019 and October 2020.

in its interactions with certain customers identified by the Commission, affordability ought to have been considered sooner
there were instances where interactions were not specifically adapted depending on the extent of potential harm to a customer.

This regulatory settlement consists of:

(i) divestment of £212,849.86 and (ii) a payment in lieu of £2,787,150.14 making a total payment of £3,000,000 in lieu of a financial penalty, which will be directed towards socially responsible purposes.
agreement to the publication of a statement of facts in relation to this case
agreement by LBG to vary its operating licence to add conditions to its operating licence, namely:

to appoint a Board-level sponsor, reporting directly to the Chair, to assume responsibility for the implementation of its action plan, and
undertake a follow-up independent audit of relevant policies and procedures within 12 months to ensure whether it is effectively implementing its AML and safer gambling policies, procedures and controls, and that any further recommendations made by the independent audit should be implemented thereafter.

payment of the Commission’s costs of conducting the review.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
there has been a repeated breach or failure by the operator or other group companies
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the need to encourage compliance among other operators
the nature of the breaches may mean other customers were affected that the Commission has not reviewed
LBG’s senior management should have been aware of governance issues that lead to the breaches, given their significance.

Mitigating factors

the extent of steps taken to remedy the breach – the Licensee implemented an early action plan to remedy its failings
the Licensee procedurally met the Commission’s timetable in respect of providing material and, where such material could not be provided within the expected time period, sought an extension.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact, especially the level of detail provided?
have your staff received sufficient AML and SR training?

Notes

¹The Commission commenced its regulatory review on 18 January 2021.

End of public statement

LC International Limited Public Statement

Published: 17 August 2022

This licensee is part of the Entain Group (Entain) (formerly named the GVC group) of companies.

Operators are expected to consider the issues outlined as follows and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure gambling facilities are provided in compliance with the Gambling Act 2005 (opens in new tab) (the Act), the conditions of their licence and in accordance with the licensing objectives, which are to:

prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
ensure that gambling is conducted in a fair, and open way
protect children and other vulnerable people from being harmed or exploited by gambling.

This investigation followed a compliance assessment and resulted in the commencement of a section 116 regulatory review¹ of LC International Limited (LCI), Combined Remote Operating Licence number: 000-054743-R-330863-0072². The regulatory review found failings in LCI’s processes which were aimed at preventing Money Laundering (ML) and safer gambling.

Between December 2019 and October 2020, LCI failed to comply with certain Licence Conditions and Codes of Practice (LCCP), specifically:

paragraphs 1, 2 and 3 of licence condition 12.1.1, requiring the prevention of money laundering and terrorist financing (ML and TF)
licence condition 12.1.2 requiring operators based in foreign jurisdictions to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information of the Payer) Regulations 2017
paragraphs 1 and 2 of Social Responsibility Code Provision (SRCP) 3.4.1, requiring licensees to interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling, and to take into account the Gambling Commission’s guidance on customer interaction
paragraphs 1 and 2 of SRCP 3.9.1 requiring Licensees to put into effect policies and procedures designed to identify separate accounts which are held by the same individual and where customers hold more than one account, the Licensee must have and put into effect procedures which enable them to relate each of a customer’s such accounts to each other.

Taking into account remedial action taken by LCI and in line with our Statement of Principles for licensing and regulation, LCI will voluntarily divest itself of £544,048.03 and pay £13,455,952 in lieu of a financial penalty resulting in a total payment in lieu of a financial penalty of £14,000,000.

The investigation and our subsequent regulatory review found:

failings in LCI’s implementation of Anti-Money Laundering (AML) policies, procedures and controls
deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation
certain customers who were the subject of AML restrictions were able to open account(s) on different brands.

We found that between December 2019 and October 2020 LCI had been in breach of the following licence conditions and Social Responsibility Code Provisions.

Breach of paragraph 1 of licence condition 12.1.1

LCI accepted it breached this licence condition as its ML and TF risk assessment did not sufficiently reflect the Commission’s expectations or fully take into account the Commission’s ML and TF risk assessment of the British gambling industry.

The failings were that LCI’s risk assessment did not:

refer to terrorist financing
make specific reference to customer nationality or business risks in the geographical risk section³.

Breach of paragraphs 2 and 3 of licence condition 12.1.1

Licence condition 12.1.1 (2) states: “Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”

Licence condition 12.1.1(3) states: “Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”

LCI accepted it breached this licence condition as:

there were weaknesses and shortcomings in relation to the adequacy and maintenance of its policies and procedures, and their implementation
the Commission identified that certain customers were able to deposit large amounts of money without an interaction being triggered (in particular, a Source of Funds (SOF) check):

customer A had £742,000 in deposits during a membership period of 14 months, having first registered in May 2019. The Licensee established via open source that this customer was a director of a newly formed company. The customer’s salary was not known by the Licensee as no personal financial information was available on open source. At the time of the Assessment, the customer had lost £59,000 in the preceding six months
customer B’s total deposits over the life of a six-month account, which was registered in February 2020, were £186,000 with a loss of £31,000 at the time of the Assessment, including almost £25,000 in losses in the last three months. The Licensee acknowledged it should have acted sooner when it identified that the customer’s home address was a social housing property.

in relation to certain customers identified by the Commission, it placed an overreliance on recycled winnings
in relation to certain customers, it should have conducted Enhanced Customer Due Diligence (ECDD) checks sooner than it did:

customer C deposited £157,698 in two months. The Licensee first requested SOF evidence on 9 August 2020, however, the customer was allowed to continue gambling until the account was restricted on 27 August 2020. The Licensee later closed the account on receipt of the customer’s SOF evidence due to the Licensee’s concerns about the legitimacy of the evidence provided
customer D deposited a total of £524,501 in the period of the failings, incurring losses of £75,600. The customer was not requested to provide SOF evidence until April 2020, which they refused to provide, and the account was subsequently closed.

it placed excessive reliance on open-source information in certain cases:

customer A hit an AML trigger in June 2020 by depositing £10,000 in one day. This prompted the Licensee to review the account (via open-source checks) for the first time and no adverse information was found. The customer was allowed to continue playing until they hit a further AML trigger by depositing £60,000 in 7 days, which prompted a SOF check by the Licensee
the Licensee believed customer E to be a wealthy individual based on assumptions made during open-source checks. However, prior to a source of funds request in August 2020, no evidence had been obtained to show that the assumed wealth was being used to fund the account. The customer deposited £140,700 in the period of the failings with an overall net loss of £60,300.

Breach of paragraph 1 of licence condition 12.1.2 (Anti-Money Laundering measures for operators based in foreign jurisdictions)

Paragraph 1 of this condition has been in place since October 2016 and requires that:

The Licensee accepts it breached this licence condition as the AML failings, set out above, constitute a breach of the 2017 Money Laundering Regulations, namely:

regulation 19 (1)(a) requires that the ‘relevant person’ must maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person
regulation 28 (11)(a) requires ongoing monitoring of a business relationship which includes, where necessary, checking source of funds to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile
regulation 33 imposes an obligation to apply ECDD measures and enhanced ongoing monitoring in any case identified as one where there is a high risk of money laundering or terrorist financing.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of criminal spend with the Licensee.

Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Act. SRCP 3.4.1 (amended from 31 October 2019) states:

“1 Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

a. identifying customers who may be at risk of or experiencing harms associated with gambling
b. interacting with customers who may be at risk of or experiencing harms associated with gambling
c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”.

LCI accepted it was not fully in compliance with SRCP 3.4.1 as:

it was slow to interact with, or did not interact with, certain customers identified by the Commission in a way which minimised their risk of experiencing harms associated with gambling

during their custom with the Licensee, customer F made a large number of deposits and withdrawals and played for extended periods of time overnight and in the early morning; with total deposits of £186,889 in 2019 and £43,956 within six months in 2020. They were twice referred to the safer gambling team and received just one chat interaction. The Licensee accepts there was a lack of interaction with this customer and also accepts that an analyst error in November 2018 led to the customer’s account being reopened, contrary to previous decisions to permanently close it
in respect of customer A who deposited £742,000 in 14 months, the Licensee accepts that its actions in relation to this customer were not of a standard that the Commission or the Licensee, itself, expects. It acknowledges it should have engaged with the customer sooner and when doing so it should have asked further questions regarding affordability and income. The Licensee has since amended its thresholds and related processes to ensure that such an oversight does not happen again.

its policies were not updated in a timely fashion to reflect the introduction of the October 2019 SRCP 3.4.1
in evaluating the adequacy of its customer interaction processes as a whole, the operator should have kept better records of those evaluations
in its interactions with certain customers identified by the Commission, affordability ought to have been considered sooner.

Paragraphs 1 and 2 of SRCP 3.9.1 state:

“1 Licensees must have and put into effect policies and procedures designed to identify separate accounts which are held by the same individual.

2 Where licensees allow customers to hold more than one account with them, the licensee must have and put into effect procedures which enable them to relate each of a customer’s such accounts to each of the others and ensure that:

a. if a customer opts to self-exclude they are effectively excluded from all gambling with the licensee unless they make it clear that their request relates only to some forms of gambling or gambling using only some of the accounts they hold with the licensee;
b. all of a customer’s accounts are monitored and decisions that trigger customer interaction are based on the observed behaviour and transactions across all the accounts;
c. where credit is offered or allowed the maximum credit limit is applied on an aggregate basis across all accounts; and
d. individual financial limits can be implemented across all of a customer’s accounts.”.

LCI accepted it was not fully in compliance with SRCP 3.9.1 as:

there was an ability for customers subject to AML enquiries and restrictions to open multiple accounts with the Licensee’s other brands

in one instance customer A had their account blocked with Coral because they had spent £60,000 in 12 months and failed to provide source of funds, but was immediately able to open an account with Ladbrokes and deposit £30,000 in a single day.

This regulatory settlement consists of:

(i) divestment of £544,048.03 and (ii) a payment in lieu of £13,455,952 making a total payment of £14,000,000 in lieu of a financial penalty, which will be directed towards socially responsible purposes
agreement to the publication of a statement of facts in relation to this case
agreement by LCI to vary its operating licence to add conditions to its operating licence, namely:

to appoint a Board-level sponsor, reporting directly to the Chair, to assume responsibility for the implementation of its action plan, and
undertake a follow-up independent audit of relevant policies and procedures within 12 months to ensure whether it is effectively implementing its AML and safer gambling policies, procedures and controls, and that any further recommendations made by the independent audit should be implemented thereafter.

payment of the Commission’s costs of conducting the review.

In considering an appropriate resolution to this investigation, the Commission has had regard to the following aggravating and mitigating factors:

Aggravating factors

the serious nature of the breaches identified
the impact on the licensing objectives
there has been a repeated breach or failure by the operator or other group companies
the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
the need to encourage compliance among other operators
the nature of the breaches may mean other customers were affected that the Commission has not reviewed
LCI’s senior management should have been aware of governance issues that lead to the breaches, given their significance.

Mitigating factors

the extent of steps taken to remedy the breach - the Licensee implemented an early action plan to remedy its failings
the Licensee procedurally met the Commission’s timetable in respect of providing material and, where such material could not be provided within the expected time period, sought an extension.

Good practice

Gambling operators should take account of the failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
do lessons learned from public statements flow into your policy and processes?
are your customer risk profiles formed by or linked to your money laundering and terrorist financing risk assessment?
do you have a formalised process for analysing the effectiveness of customer interactions to ensure that reviews were adequately documented and consistent in their approach?
do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact, especially the level of detail provided?
have your staff received sufficient AML and SR training?

Notes

¹The Commission commenced its regulatory review on 11 November 2020.

²LCI trade under: Cheeky Bingo; Coral; Foxy Bingo; Foxy Games; Gala; Gala Bingo; Gala Casino; Gala Coral; Gala Spins; Game Bookers; Ladbrokes; Party Casino; Party Poker; Sporting Bet; bwin.

³The AML Guidance and the Commission’s MLTF risk assessment sets out a number of factors licensees must and should consider when undertaking their own MLTF risk assessments. In addition, the Licensee is required, by virtue of Regulation 18(2)(a) of the Regulations, to take these documents into account when carrying out its own MLTF risk assessment.

End of public statement

Public Statements

Football Pools Limited Public Statement

Introduction

Breach of Paragraphs 2 and 3 of Licence Condition 12.1.1

Failure to comply with paragraphs 1, 4, 5 and 8 of SRCP 3.4.3

Aggravating factors

Mitigating factors

Good practice

AG Communications Limited Public Statement

Introduction

Breach of Licence Condition 12.1.1 (3)

Failure to comply with paragraphs 1, 4, 7, 9 and 11 of SRCP 3.4.3

Failure to comply with Social Responsibility Code Provision 3.9.1 (1) Identification of individual Customers – (Remote) requires:

Breach of Licence Condition 4.2.1 (1) - Disclosure to customers requires:

Breach of Licence Condition 15.2.1 (15) – Reporting key events requires:

Failure to comply with SRCP 4.2.6 (1) – Display of Rules – betting requires:

Failure to comply with SRCP 3.5.3 (1) – Self-exclusion – remote SR code

Aggravating factors

Mitigating factors

Good practice

Notes

Greentube Alderney Limited Public Statement

Introduction

Breach of Paragraph 3 of Licence Condition 12.1.1

Failure to comply with paragraphs 1 and 8 of SRCP 3.4.3

Aggravating factors

Mitigating factors

Good practice

Hillside (UK Sports) ENC Public Statement

Introduction

Breached paragraph 2 of licence condition 12.1.1 between May 2021 and July 2022

Failed to comply with paragraphs 1b and 1c of Social Responsibility Code Provision (SRCP) 3.4.1 (Customer Interaction) between October 2021 to September 2022

Aggravating factors

Mitigating factors

Good practice

Hillside (UK Gaming) ENC Public Statement

Introduction

Breached paragraph 2 of licence condition 12.1.1 (Prevention of money laundering and terrorist financing) between May 2021 and July 2022

Breached licence condition 12.1.2 (Anti-Money Laundering - Measures for operators based in foreign jurisdictions) between May 2021 and July 2022

Failed to comply with paragraphs 1b and 1c of SRCP 3.4.1 (Customer Interaction) between October 2021 to September 2022

Aggravating factors

Mitigating factors

Good practice

Lindar Media Limited Public Statement

Introduction

Breach of paragraph 1 of licence condition 12.1.1

Breach of paragraph 2 of licence condition 12.1.1

Breach of paragraph 3 of licence condition 12.1.1

Failure to take into account Ordinary Code Provision 2.1.1

Breach of licence condition 15.2.1 (4) - Reporting key events

Breach of licence condition 1.2.1(3) - Specified management offices – personal management licences

Failure to comply with paragraph 1b, 1c and 2 of SRCP 3.4.1 (Customer Interaction)

Identify

Interact

Failure to comply with SRCP 5.1.6 - the advertising codes

Failure to comply with SRCP 3.1.1(2) – Combating problem gambling

Aggravating factors

Mitigating factors

Good practice

Notes

Done Bros (Cash Betting) Limited Public Statement

Introduction

Breached licence condition 12.1 Prevention of money laundering and terrorist financing

Breach of paragraph 1 of licence condition 12.1.1

Breach of paragraph 2 and 3 of licence condition 12.1.1

Failed to comply with Paragraph 1 and 2 of SRCP 3.4.1 (Customer Interaction)

Aggravating factors

Mitigating factors

Good practice

Notes

Videoslots Limited Public Statement

Introduction

Breach of licence condition 12.1.1(3)

Failure to comply with SRCP 3.4.1 Customer interaction

Conclusion

Aggravating factors:

Mitigating factors:

Good practice

Notes

Skill On Net Limited Public Statement

Breach of licence condition 8.1.1 (Display of Licensed Status)²

Failure to consider Ordinary Code Provision (OCP) 2.1.1 – Anti-money Laundering (Casino)¹

Failure to comply with: Social Responsibility Code 3.4.1²