Money Laundering and Terrorist Financing Risk Assessment 2023

Introduction 

On 30 November 2023, the Gambling Commission (the “Commission”) published its latest risk assessment into money laundering and terrorist financing (the “Commission’s Risk Assessment”), which builds on the Commission’s previous risk assessment, published in December 2020 (the “Commission’s 2020 Risk Assessment”), which we commented on here.

The Commission’s Risk Assessment covers the period from 1 June 2020 to 31 March 2023 and “presents the key risks associated with each of the sectors and encompasses licensed land-based and remote activity in Great Birtain’s gambling industry”. The purpose of the Commission’s Risk Assessment is to provide a resource for the industry to inform their own money laundering and terrorist financing risk assessments, and help inform and prioritise its licensing, compliance, and enforcement activity to raise standards in the industry. Operators should now consider whether their own risk assessment, policies, procedures and controls require updating following the publication of the Commission’s Risk Assessment.

The Commission’s Risk Assessment is required by Regulation 17 (1) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which sets out that each supervisory authority must carry out a risk assessment to identify and assess the international and domestic risks of money laundering and terrorist financing of their supervised sector.

The Commission’s Risk Assessment specifically flags that:

1. in September 2022, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 were updated to require businesses in the regulated sector to risk assess and mitigate proliferation financing; and
2. in February 2022, it produced guidance/an update on how to comply with sanctions regulation (including the UK government’s financial sanctions against Russia).

The risk ratings used in the Commission’s Risk Assessment have been amended since the Commission’s 2020 Risk Assessment. Instead of including the ratings very low and very high, only the risk ratings low, medium and high are used, with very low and very high ratings being merged into low and high respectively.

Overall risk ratings

The Commission notes that the gambling sector is rated as low risk in the HM Treasury and Home Office National Risk Assessment. However, this low rating is in comparison to the relative risk occurring in all regulated financial sectors (including legal services and accountancy). By contrast the Commission’s Risk Assessment compares the money laundering and terrorist financing risk in each individual gambling sub-sector and rates them low to high risk in comparison to each other. 

Comparing the overall risk rating for each sector from Commission’s Risk Assessment to the Commission’s 2020 Risk Assessment, the only change in classification is terrorist financing which has moved from low to medium (due to the “Impact of event occurring” risk moving from low to high). 

Sub-sector risk ratings

Unlike previous years, the Commission’s Risk Assessment does not contain specific sections dedicated to “Additional inherent risks” and “Emerging Risks”, and instead only covers the “Inherent risks” for each sector, with a few of the sectors having an additional section for a “Case Study”.

All of these inherent risks are given a likelihood and impact rating, and then an overall risk rating that combines the two. The likelihood rating assesses the likelihood of a threat materialising, and in calculating this rating, the Commission considers, amongst other things, the sector’s global connectivity and the instances that have been reported to the Commission. The impact rating assesses the extent to which the risk materialising will influence the licensing objectives and the general interest of consumers.

The Commission’s Risk Assessment contains a number of “New Risks” that were not in the previous assessment. A number of existing ratings have also changed since the Commission’s 2020 Risk Assessment, either due to an increase or decrease to the impact or likelihood. 

Given that there has been a change to the overall risk rating for terrorist financing, and that casino, betting and bingo (remote) remains a high risk, we focus on the Commission’s Risk Assessment in these areas, highlighting some key changes and some of the case studies that have been included in the Commission’s Risk Assessment. 

Casino, betting and bingo (remote)

Although casino, betting and bingo (remote) is considered as one sector in the executive summary of the Commission’s Risk Assessment and is given one overall risk rating of “high”, each of casino (remote), betting (remote) and bingo (remote) is given its own section within the Commission’s Risk Assessment and contains its own analysis of the inherent risks.

New risks

For casino, betting and bingo (remote), the “New Risks” identified, and their overall risk ratings are:

• Third party business relationships and business investors (casino (remote) – High);
• Lack of competence of key personnel and licence holders which can then potentially be exploited by criminals seeking to launder the proceeds of crime (casino (remote) – High);
• Multiple methods of payment (casino (remote), betting (remote) and bingo (remote) – High); and
• Casinos acting as Money Service Businesses (MSBs) (casino (remote) – High).

The majority of these risks were previously identified as risks for one of casino, betting or bingo (remote) in the Commission’s 2020 Risk Assessment and so it is likely that many operators, particularly those offering different products, will already consider such risks somewhere in their risk assessments. Such risks will now need to be considered more broadly.

Increased and decreased risks

There are a number of risks that increased for casino, betting and bingo (remote), and these are:

• ‘Smurfing’, which increased from a medium overall risk rating to a high rating for betting (remote);
• Peer to peer betting which increased from a medium overall risk rating to a high rating for betting (remote);
• Customers on the sanction list which increased from a low overall risk rating to a medium rating for bingo (remote); and
• Use of third parties or agents to obscure the source or ownership of money gambled by customers and their identities which increased from a medium overall risk rating to a high rating for bingo (remote).

There are a number of risks that decreased (either in impact or likelihood), for casino, betting and bingo (remote). These are as follows:

• High value customer schemes decreased in likelihood to medium for casino (remote);
• Lack of competence of key personnel and licence holders which can then be exploited by criminals seeking to launder the proceeds of crime decreased in likelihood to medium for betting (remote);
• Gambling operations run or acquired by organised criminals to launder criminally derived funds decreased in likelihood to low for betting (remote);
• Accessibility to multiple remote accounts decreased in likelihood to medium for betting (remote) and bingo (remote);
• Customers from high risk or non-cooperative jurisdictions using remote facilities to launder criminally derived funds decreased in likelihood to medium for betting (remote); and
• Pre-paid cards decreased in likelihood to medium for bingo (remote).

New Risk Ratings

The Commission’s Risk Assessment also contains a number of “New Risk Ratings”. Where this phrase has been used, the Commission is referring to risks that were given only an overall risk rating in the Commission’s 2020 Risk Assessment but have now been assigned a likelihood and impact rating in the Commission’s Risk Assessment. The likelihood and impact ratings for each of these risks are:

Case studies

Through the use of case studies, the Commission also provides examples of a number of different risks that operators should be aware of across the different sectors. We include the case studies for casino, betting and bingo (remote) below.

• Casino (remote)

“Pre-paid cards

An individual made large deposits using pre-paid cards. When the operator attempted to determine the source of the individual’s funds, the customer claimed that they received their salary in cash.

An individual deposited several thousand pounds with pre-paid cards. Subsequent checks revealed that they were unemployed.

Smurfing

An individual had several failed deposit attempts and then made a series of deposits in low amounts. Once the deposits had been made, the customer requested an immediate withdrawal without any gameplay and then made a further small deposit.”

• Betting (remote)

“Mule accounts

A student with no formal employment was asked for source of funds information by an operator as part of Know your customer (KYC) checks. The student provided a bank statement which showed them making large cash deposits into their bank account, which was followed by smaller transfers to other individuals with the payment references naming other gambling operators.

Smurfing

An individual was identified as having made regular deposits in relatively low increments, which were then placed on low-risk bets with an almost guaranteed return. The customer attempted to withdraw using an e-wallet and was asked for evidence that they were the legitimate owner of the wallet. At this point, the individual confirmed their e-wallet account had been closed.”

• Bingo (remote)

“False or stolen ID

A criminal used stolen ID and debit cards with a gambling operator. The individual deposited funds from several stolen debit cards into the gambling account and then attempted to withdraw the funds to one debit card.

Multiple methods of payment

An individual made deposits into their gambling account from several different debit cards as well as an e-wallet. When withdrawing funds, they only used the e-wallet. A customer made multiple deposits using numerous debit cards within the first hour of opening their account.

Accessibility to multiple accounts

Following Know Your Customer (KYC) checks an individual was identified as having deposits and credits with several dozen online gambling operators and payment processors during only a few months.”

Terrorist financing

The overall risk rating for terrorist financing has moved from low to medium since the Commission’s 2020 Risk Assessment, which is largely the result of all risks moving to a high “Impact of event occurring” rating. The inherent risks that are considered, and that have all had an increase in impact are:

• operators failing to understand or take consideration of terrorist financing vulnerabilities and applicable legislation;
• money Service Businesses (MSB);
• charities and terrorist financing;
• mule accounts;
• increase in right-wing terrorism;
• cryptoasset transactions;
• pre-paid cards;
• cash transactions; and
• international terrorism.

The Commission’s Risk Assessment sets out a number of ‘red flag’ indicators that operators should be alert to, including (but not limited to):

• a customer’s income or expenditure which is inconsistent with their occupation;
• use of multiple foreign bank accounts to conduct transactions;
• unexpected large withdrawals or complete withdrawals of sums and sudden account closure;
• accounts linked to pre-paid cards; and
• customer IP address being used by other customers.

Comment

The Commission highlights to operators the importance of Licence Condition 12.1.1.3, which specifies that gambling operators are required to ensure that their “policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”

It is therefore crucial for operators to take note of the risks, and the changes to risk ratings, outlined in the Commission’s Risk Assessment and revise their own risk assessment, policies, procedures and controls to reflect changes in the assessment of risk, where appropriate. This will require careful review of the Commission’s Risk Assessment and their own risk assessment. Although the Commission has taken three years to develop and publish the Commission’s Risk Assessment, it is anticipated that the Commission will expect operators to reflect the publication of the Commission’s Risk Assessment, as appropriate, in a short timeframe.

For further information please email the authors or your usual CMS contact.

^[1] Despite Cryptoasset transactions being labelled “New Risk Rating”, it already had likelihood and impact ratings of Medium and High respectively in the Commission’s 2020 Risk Assessment.