William Hill Group businesses reach regulatory settlements

On 28 March 2023, the Gambling Commission (the “Commission”) announced that it had reached regulatory settlements with WHG (International) Limited (“WHG”), Mr Green Limited (“MRG”) and William Hill Organization Limited (“WH Retail”); all owned by the William Hill Group (and, as of 1 July 2022, the 888 William Hill Group).

The three operators were subject to compliance assessments which resulted in the commencement of licence reviews under s.116 of the Gambling Act 2005. The Commission found that the operators had breached certain of the Licence Conditions and Codes of Practice (“LCCP”) in respect of social responsibility and anti-money laundering (“AML”) obligations (in the period May 2020 to October 2021 for WHG and MRG, and between January 2020 to October 2021 for WH Retail) and agreed regulatory settlements, comprising payments in lieu of financial penalties.

WHG

Breaches

1. Remote Technical Standards

Paragraph 1 of licence condition (“LC”) 2.3.1 of LCCP requires operators to comply with the Commission’s technical standards and with requirements set by the Commission relating to the timing and procedures for testing.

The Commission’s public statement states that WHG accepted it did not fully comply with this requirement as:

• it failed to ensure organisation policies and procedures were in place within its trading rooms;
• certain customer relationships lacked management oversight or control; and
• a member of trading team staff, who had knowledge of a customer’s username and password, placed bets on the customer’s instruction on their online account.

2. AML

LC 12.1.1(1) requires operators to conduct a risk assessment of AML and terrorist financing (“TF”) (and now proliferation financing) risks facing their business, which must be appropriate and reviewed as necessary in light of any changes in circumstances. LC 12.1.1(2) and (3) provide that following the completion of the risk assessment, operators must ensure they have appropriate policies, procedures and controls implemented effectively, which must be kept under review and revised appropriately.

The Commission’s public statement states that WHG accepted it breached paragraph 1 as its risk assessment did not explicitly refer to specific TF risks or the risks associated with the use of third parties or agents obscuring the source of funds, high monetary thresholds or mule accounts.

The public statement also states that WHG accepted it breached paragraphs 2 and 3 as:

• its policies, procedures and controls had weaknesses, in relation to adequacy, maintenance and implementation and they lacked hard stops to prevent further spend prior to risk profiling and guidance on the action to take following customer profiling;
• there were issues with the depth and frequency of ongoing account monitoring and certain customers could deposit large amounts of money without timely enhanced due diligence reviews or KYC checks; 
• it placed an undue reliance on open-source information and the fact that a customer’s winning position posed a smaller risk of money laundering (“ML”) without gathering adequate evidence; and
• it failed to resource due diligence teams sufficiently following a change in triggers that resulted in a backlog of reviews to be completed and there were weaknesses in training and documented processes.

Paragraph 1 of LC 12.1.2 requires licensees to comply with Parts 2 and 3 of the Money Laundering Regulations 2007 (UK Statutory Instrument No. 2157 of 2007) as amended by the Money Laundering (Amendment) Regulations 2007 (UK Statutory Instrument No. 3299 of 2007). The Commission’s public statement notes that WHG accepted that it had breached this condition as a result of the AML failings outlined above.

The Commission’s review of the specific customers identified during the compliance assessment found no evidence of criminal spend with WHG.

3. Social Responsibility

Customer Interaction

Paragraph 1 of the SRCP 3.4.1 (applicable at the time) states that operators must interact with customers in a way which minimises the risks of customers experiencing harms associated with gambling. This involves identifying customers who may be at risk, interacting with them and evaluating the effectiveness of such interactions. Paragraph 2 of the SRCP 3.4.1 (applicable at the time) requires that operators take into account the Commission’s guidance on customer interaction.

The Commission’s public statement states that WHG accepted it was not fully in compliance with paragraphs 1 and 2 of SRCP 3.4.1 as:

• it failed to identify, carry out checks early enough and intervene with certain customers who were at risk of experiencing gambling related harm;
• its system was inadequate as it allowed customers to exceed the thresholds it had previously implemented without interactions occurring and without any block;
• inadequate record keeping hampered WHG’s decision-making when interacting with customers;
• insufficient controls exposed new or returning customers to the risk of substantial losses in a short period of time; and
• WHG relied on automated email interactions when customers hit safer gambling alerts and should have evaluated the effectiveness of those interactions more.

Provision of Credit

SRCP 3.7.1 provides that operators who offer credit to members of the public who are not themselves gambling operators must have procedures to check and score applications for credit from such customers, set a maximum credit limit for each customer and not permit them to exceed that limit without further application and apply a 24-hour delay between receiving a request for an increase in a credit limit.

The Commission’s public statement notes that WHG accepted it was not fully in compliance with SRCP 3.7.1, including, by way of example, because a customer was allowed to exceed their credit limit, and there were weaknesses in documented processes for a small number of accounts.

Identification of individual customers

Paragraph 2a of SRCP 3.9.1 states that where customers are allowed to have more than one account with an operator, it must put into effect procedures which ensure that if a customer opts to self-exclude, they are excluded from all gambling.

The Commission’s public statement states that WHG accepted it was in breach of SRCP 3.9.1 as 331 customers were able to gamble with WHG despite having self-excluded with MRG. Such customers had self-excluded with MRG prior to its acquisition by the William Hill Group.

MRG

Breaches

1. AML

The Commission’s public statement states that MRG accepted that it was in breach of paragraphs 1, 2 and 3 of LC 12.1.1 for the following reasons:

• its risk assessment did not explicitly refer to specific TF risks or refer to high monetary thresholds or use of mule accounts; and
• its policies, procedures and controls had weaknesses similar to those identified for WHG, including lack of guidance as to action following risk profiling and placing undue reliance on open-source information.

The Commission’s public statement states that MRG accepted that it had also breached paragraph 1 of LC 12.1.2 as a result of the AML failings outlined above.

2. Social Responsibility

Customer Interaction

The Commission’s public statement states that MRG accepted it was not fully in compliance with paragraphs 1 and 2 of SRCP 3.4.1 as:

• it failed to identify certain customers at risk of experiencing gambling related harm and checks should have been undertaken at an earlier stage;
• poor systems and a lack of oversight across brands meant it did not have a complete picture of a customer’s activity to identify risk from previous interactions or safeguards in place;
• inadequate record keeping hampered MRG’s decision-making when interacting with customers;
• its controls were insufficient to protect new customers and to effectively consider high velocity spend and duration of play until the customer may have been exposed to the risk of substantial losses in a short period of time; and
• MRG relied on email interactions when customers hit safer gambling alerts, which were not automated but were insufficiently tailored to individual circumstances.

Identification of individual customers

Paragraph 1 of SRCP 3.9.1 states that operators must put policies and procedures into effect that are designed to identify separate accounts held by the same individual.

Paragraph 2b of SRCP 3.9.1 states that where customers are allowed to have more than one account, operators must put into effect procedures which ensure that all of a customer’s accounts are monitored and decisions triggering customer interaction are based on the activity of all their accounts.

The Commission’s public statement states that MRG accepted it was not fully in compliance with SRCP 3.9.1 as it failed to establish early enough that at least four customers, at the time or previously, had accounts with WHG.

WH Retail

Breaches

1. AML

The Commission’s public statement states that WH Retail accepted its breach of paragraphs 1, 2 and 3 of LC 12.1.1 for the following reasons:

• its risk assessment did not explicitly refer to specific TF risks, or the risks associated with customer bank account changes, risks of fraudulent or dyed notes nor business risks in the geographical risk section;
• its risk assessment also failed to mention how WH Retail monitors customers who place bets in multiple betting offices, how this was reviewed and the mitigations in place;
• its policies and procedures had weaknesses in adequacy, maintenance and implementation, there was an over-reliance on recycled winnings for certain customers and failure to appropriately track customers across multiple betting offices.

2. Social Responsibility

Customer Interaction

The Commission’s public statement states that WH Retail accepted that it was not fully in compliance with paragraphs 1 and 2 of SRCP 3.4.1 as:

• it failed to identify changes in certain customer’s behaviour which should have provoked consideration of whether the customer was experiencing harm;
• its controls were insufficient to protect new customers and to effectively consider high velocity spend and duration of play until the customer may have been exposed to the risk of substantial losses in a short period of time;
• in particular cases, it failed to conduct interactions early enough with customers who may be at risk of experiencing harm; and
• there was a lack of evidence evaluating the effectiveness of individual customer interactions and a lack of record keeping limited staff in properly tailoring their interactions with historic interactions in mind.

Regulatory Settlements

The regulatory settlements agreed between each of WHG, MRG and WH Retail and the Commission included:

• payments in lieu of a financial penalty, directed towards socially responsible purposes;
• agreement to the publication of a statement of facts in relation to this case;
• agreement to vary operating licences to add the following two licence conditions to each licence:
  • appointment of Board-level sponsor responsible for compiling and implementing 12-month action plan to deal with post case activity;
  • follow-up independent audit to ensure effective implementation of AML and safer gambling policies, procedures and controls, including implementing any further recommendations made by the auditor; and
• payment of the Commission’s costs of conducting the reviews.

The payment of in lieu of a financial penalty for:

1. WHG was £12,500,000, which included a divestment of £284,361.57;
2. MRG was £3,750,000 which included a divestment of  £218,310.20; and
3. WH Retail was £2,999,850 which included a divestment of  £244,026.95.

In agreeing the settlements, the Commission noted certain aggravating factors, such as the serious nature of the breaches and their repetition by the operator or other group companies, but also recognised a number of mitigating factors, including implementing an early action plan to remedy failings, early and voluntary reporting of breaches to the Commission and meeting the Commission’s timetable.

Lessons Learnt

Reflecting on these three cases, operators should consider the following questions:

• Do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
• Do you efficiently record all compliance decisions and can you show the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
• Do you incorporate lessons learned from public statements into your policies and processes?
• Are your customer risk profiles informed by or linked to your ML and TF risk assessment?
• Do you have a formal process for analysing the effectiveness of customer interactions, and do you keep detailed records of the types of behaviour which have triggered a customer interaction?
• Have your staff received sufficient AML and social responsibility training?

Comment

In concluding its enforcement action against the William Hill Group, Andrew Rhodes, the Commission’s Chief Executive, noted that whilst the Commission had taken “unprecedented action” against gambling operators in the past 15 months, it was starting to see signs of improvement in the industry in terms of making gambling safer and tackling the risk of criminal funds entering businesses. He highlighted that: “[o]perators are using algorithms to spot gambling harms or criminal risk more quickly, interacting with consumers sooner, and generally having more effective policies and procedures in place”.

The action taken against the William Hill Group is a reminder that the Commission will consider compliance by reference to other group companies as well as the individual operator. It is important for operators forming part of a group companies to adopt a joined up approach, particularly in the context of self-exclusions and account reviews and decision-making in compliance with SRCP 3.9.1. It should also be noted that the fact there had been “a repeated breach or failure by the operator or other group companies” (with emphasis added) was considered to be an aggravating factor in the context of determining the appropriate financial penalty (as per paragraph 2.8 of the Commission’s Statement of Principles on Financial Penalties).