Gambling White Paper Consultations: The Commission’s Response on Financial Risk and Vulnerability Checks

England and Wales

The Gambling Commission (GC) has now published its response to its latest consultation on financial vulnerability and financial risk (which was published in July 2023 and discussed in our article here). The response states that the GC is working towards a new, proportionate and frictionless system of financial checks and provides for: (i) a new Social Responsibility Code provision for “financial vulnerability” checks; and (ii) a pilot for “frictionless” financial risk assessments.

There is a long history to the new measures, following a consultation and call for evidence on customer interaction in 2020-21, with an initial consultation response published in April 2022. The latest consultation response also includes a summary of the responses to the 2020-21 consultation.

Alongside the new measures, the Betting and Gaming Council has announced a new “Industry Voluntary Code on Customer Checks and Documentation Requests Based on Spend”, which is intended to operate as an interim scheme while frictionless financial risk assessments are developed, tested and implemented.

Our separate article on the GC’s response to the broader consultations on the Gambling White Paper “High stakes: gambling reform for the digital age” can be found here.

Vulnerability checks

The consultation response provides for a new Social Responsibility Code (SRC) 3.4.4 on customer interaction. The SRC has the same effect as a licence condition and requires that remote licensees (subject to limited licence type exceptions) must undertake a “light-touch” financial vulnerability check for customers that reach the threshold.  The threshold will come into force on 30 August 2024 at £500 net deposits in a 30 day period and will reduce on 27 February 2025 to £150 net deposits in a 30 day period.

The financial vulnerability check must (at a minimum) include checks for bankruptcy orders, CCJs, IVAs, DROs and similar. It does not need to be conducted more than once every 12 months.

Critically, although the financial vulnerability check itself is limited to publicly available information, operators must consider this information, together with all of the other information they otherwise know about the customer and are permitted to use, in order to assess risk, take proportionate action and record decision-making. Operators are also still required to comply with the broader requirements in respect of customer interaction in SRC 3.4.3.

As a result, the new requirement for financial vulnerability checks provides an overlay to, rather than replacing the existing regime.  Andrew Rhodes, CEO of the GC has noted:

“the operator should consider all the information they hold about the customer alongside the financial vulnerability check and tailor any action to the level of risk.

The Commission’s existing guidance for remote operators on customer interaction may assist operators in considering how to assess risk, how to take proportionate action and how to record rationale for decisions where action is taken.”

Nonetheless, operators may review their customer interaction policies to consider whether they can be better aligned with the scope and threshold of the financial vulnerability check under SRC 3.4.4. We have provided some examples below, with the important health warning that in doing so, operators will have to consider if they still comply with SRC 3.4.3 and AML conditions.

  1. Operators that previously conducted financial vulnerability checks at a lower level than £150 net deposits in a rolling 30 day period (such as operators who impose it at registration) could consider increasing the threshold for those checks to the £150 threshold.
  2. Operators may wish to revisit the extent to which they rely on postcode or job title, at least at an early stage, based on the GC’s decision that, following feedback through the consultation (including customer feedback that use of postcode data may cause discrimination) they would not require gambling businesses to consider postcode or job title as part of the financial vulnerability check.
  3. Operators could consider aligning their repetition of basic financial checks with the fact that the financial vulnerability check under SRC 3.4.4 is required only every 12 months.

Financial risk assessments pilot

The consultation also introduces a pilot for financial risk assessments through the credit reference agencies Equifax, Experian and TransUnion. The terms are set out in new SRC 3.4.6. The pilot is intended to have three stages over the period of seven months and will be compulsory for large remote operators (in fee categories J1, K1 or L1) and voluntary for smaller operators. During the pilot the process and outcome of these risk assessments should not  alter customer journeys.

The thresholds at which the financial risk assessments are to be carried out are yet to be determined by the GC and may be refined during the course of the pilot.

The consultation response states “We intend to set threshold levels to allow for sufficient data to be obtained to provide robust insight but not to overburden operators participating in the pilot. These threshold levels are not indicative of where thresholds would be set following the pilot.” Accordingly, operators should not rely on the terms of the pilot in respect of the thresholds to be applied to customer journeys in the meantime.

The intention is that the checks will be entirely frictionless for customers and the GC has stated publicly that these enhanced checks will only be introduced if the pilot proves they can be done in a frictionless manner, based on data-sharing.

BGC Interim Code

Given the pilot does not provide guidance on the appropriate financial threshold for risk assessment, in parallel to the consultation response, the BGC published the interim code for financial risk assessments.   This interim code was developed jointly with the GC and backed by Government, providing operators that wish to comply with its terms some comfort that the GC will consider this to be compliant.  However, as set out in more detail below, the interim code is focused only on part of an operator’s obligations with regards to customer interaction and so operators should be wary of placing an overreliance on its terms.

The interim code sets out spending backstops for financial risk assessment at net deposits of £5,000 on a rolling monthly basis (£2,500 for 18-24 year olds) and enhanced consideration at net deposits of £25,000 in a rolling 12 month period. There is flexibility built into these thresholds to take into account recycled winnings by factoring in the customer’s overall net position over the previous 180 days.


The new financial vulnerability checks and the BGC interim code do provide some measure of clarity for operators as regards the appropriate financial threshold for vulnerability checks and the appropriate financial backstop for financial risk assessment. However, they do not provide clarity as to the steps that need to be taken by an operator in response to the results of the vulnerability check or financial risk assessment.

Moreover, the new SRC 3.4.4 and the BGC interim code do not replace any existing legal or regulatory duties. This means that operators also still have to comply with existing SRC 3.4.3 on customer interaction as well as licence conditions related to AML.

The new SRC and the BGC interim code are focused on circumstances where customer spend is the trigger for action. The existing SRC 3.4.3 provides that:

“Licensees must use a range of indicators relevant to their customer and the nature of the gambling facilities provided in order to identify harm or potential harm associated with gambling. These must include:

a. customer spend

b. patterns of spend

c. time spent gambling

d. gambling behaviour indicators

e. customer-led contact

f. use of gambling management tools

g. account indicators.”

Therefore, the new SRCP 3.4.4 and BGC interim code really only operate as backstops for (a) above, if there are no indicators of harm under (b)-(g), rather than a universal threshold to be applied to all customers. That is presumably why the BGC interim code also recognises the need for a range of actions below the thresholds (para 1) and that those actions may result in documents being requested from the customer and/or limiting play before the thresholds are reached.

Andrew Rhodes commented that 

“The thresholds in the [BGC] code represent a set of minimum standards agreed by operators, including backstops where they will consider and engage with customers where necessary…

Of course, operators remain under the obligation to meet other requirements to support customers at risk of harm. All the normal monitoring and action by operators where their customers may be showing signs of risk or harm remain the same and this can often be done in ways which do not involve document checks.”

Moreover, compliance with the new SRC 3.4.4 and BGC interim code will not be sufficient for compliance with AML conditions.  By way of example, the thresholds in both cases are based on net deposits. Over recent years the GC has made clear that operators need to take into account gross deposits as well as net deposits for the purposes of AML, as money being taken in and out of the system may be an AML concern.

As a result, while the new measures offer the prospect of some welcome clarity on backstop financial thresholds for vulnerability checks and risk assessments, operators are still left with significant uncertainty as regards what is needed to be compliant with broader customer interaction (and AML) requirements.