Gambling Commission publishes new Money Laundering and Terrorist Financing Emerging Risks

United Kingdom

On 9 February 2024, the Gambling Commission (the “Commission”) published its new list of emerging money laundering and terrorist financing risks (the “Emerging Risks”). Operators are required to keep up to date with any emerging risks that the Commission publishes and will be expected to take them into account in developing a risk assessment, policies, procedures and controls. The last emerging risks publication by the Commission was circulated in June 2022 (the “Previous Emerging Risks”).

The Emerging Risks identified by the Commission in this latest update are as follows:

  • Multiple cards and innovative payment methods
  • Risks associated with access to third party funds
  • Updated FATF ‘grey list’
  • Funds originating from crypto-assets
  • Common operator failings

This article considers each of those Emerging Risks and the commentary provided by the Commission.

Multiple cards and innovative payment methods

The Commission explains that the risks of the use of multiple cards and other innovative payment methods by customers include multiple stolen debit cards being used to fund online gambling activities and virtual debit card products that allow multiple virtual debit cards to be linked to one bank account.

In order to assist operators with identifying these risks, the Commission has set out a non-exhaustive list of indicators, such as where:

  • the operator is unable to match the customer’s personal details with the card details;
  • the operator does not have the ability to verify the card holder’s identity information, and
  • there are multiple bank accounts being used to fund a customer’s gambling activity.

The Commission also reiterates the importance under the Licence Conditions and Codes of Practice for operators to have robust customer due diligence and onboarding checks in place and specifically references the following:

Licence Condition

“Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.”

Licence Condition

Licensees must obtain and verify information in order to establish the identity of a customer before that customer is permitted to gamble. Information must include, but is not restricted to, the customer’s name, address and date of birth.”

Licence Condition

Licensees must take reasonable steps to ensure that the information they hold on a customer’s identity remains accurate.”

Risks associated with access to third party funds

The Commission explains that customer access to third party funds (either funds belonging to other people or to businesses) should be considered when risk profiling customers at the start of the customer relationship and that operators should continue to monitor these risks on an ongoing basis throughout the relationship. Customers who have access to third party funds should be considered to present higher inherent risk. 

It is further explained by the Commission that some functions, roles or responsibilities may give individuals access to third party funds, including:

  • the funds of vulnerable people
  • customer funds, in the case of, for example, banking, accounting or finance
  • company funds, and
  • charitable funds.

Updated FATF ‘grey list’

The Financial Action Task Force ‘grey list’ is a list of jurisdictions that are designated as having strategic deficiencies in their anti-money laundering, counter-terrorism financing and proliferation financing frameworks/regimes.

The Emerging Risks provides details of the FATF ‘grey list’ as at October 2023. However, the FATF ‘grey list’ has been further updated (as at 23 February 2024) and operators should refer to the most up to date FATF ‘grey list’.

The table below shows the countries that have been removed and added to the FATF ‘grey list’ since the Previous Emerging Risks in June 2022 :

Removed from the FATF ‘grey list’Added to the FATF ‘grey list’
Barbados (removed since the publication of the Emerging Risks on 9 February 2024)Cameroon
Cayman IslandsDemocratic Republic of Congo
Gibraltar (removed since the publication of the Emerging Risks on 9 February 2024)Kenya (added since the publication of the Emerging Risks on 9 February 2024)
MaliNamibia (added since the publication of the Emerging Risks on 9 February 2024)
Myanmar (moved to the ‘black list’)South Africa
Uganda (removed since the publication of the Emerging Risks on 9 February 2024) 
United Arab Emirates (removed since the publication of the Emerging Risks on 9 February 2024) 

The Commission reminds operators that if any customer relationships are associated with the countries on the FATF ‘grey list’, they should be conducting robust customer due diligence checks, in order to mitigate the risk of money laundering and terrorist financing, including proliferation financing.  As set out at paragraph 18.20 of the “Duties and responsibilities under the Proceeds of Crime Act 2002” guidance for operators (excluding casino operators) and paragraph 2.20 of the “prevention of money laundering and combating the financing of terrorism” guidance (for casino operators), the Commission considers that a customer is associated with a country as a result of (1) their citizenship, (2) if it is their country of business or (3) if it is their country of residence.

Funds originating from crypto-assets

The Commission explains that crypto-assets are considered high risk and that in certain instances where customer funds have originated from crypto-assets, operators have not been sufficiently considering the risks associated with the customer funds.

The Commission aims to remind licensees that they are “expected to appropriately scrutinise transactions throughout the course of customer and business relationships”.

Common operator failings

The Commission sets out that there are two main Source of Funds (SOF) failings: ineffective checks and triggers, and a failure to critically review SOF documents.

As a result of ineffective SOF checks and enhanced customer due diligence triggers, customers have been allowed to deposit large sums of money before the first AML review is undertaken.

Operators have also failed to appropriately review SOF documentation. They have instead relied on electronic checks such as Companies House and other open-source information to verify SOF information.  The Commission explains that this failing is partly due to failing to provide “sufficient guidance to staff on how to review and verify SOF information and what supporting documents should be requested in this regard”.

The Commission recommends the following non-exhaustive list of actions: 

  • Operators setting realistic and effective monetary and non-monetary thresholds/triggers for determining when customer interaction should take place.
  • Carrying out such interactions earlier on in the customer relationship.
  • Ongoing customer monitoring (including monitoring all transactions or activity). The monitoring of customer activity should be carried out using a risk-based approach. Higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers.
  • Considering geographical, customer, transactional and product risk in all customer relationships.


Licence Condition specifies that gambling operators are required to ensure that their “policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time”.  Operators are expected to keep up to date with any emerging risks that the Commission publishes.

In order to ensure compliance with the anti-money laundering and counter-terrorist financing requirements, it is therefore essential that operators carefully consider the Emerging Risks and make any necessary revisions to their risk assessment, policies, procedures and controls.

For further information please email the authors or your usual CMS contact.