Written by Andrew Cotton
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on Payer) Regulations 2017, which came into force on June 26 2017, replace the Money Laundering Regulations 2007 and transpose the 4th EU Anti money Laundering (AML) Directive. Equivalent regulations have also been implemented in many other EU jurisdictions recently.
There are some significant changes and it is extremely important that UK licensed remote and non-remote casino operators review the full text, which now extends to 118 pages rather than the 48 page set of 2007 regulations. The detailed requirements in the regulations now carry the weight of the law and do override some sections of the Gambling Commission’s guidance to casinos, which the Commission are currently up-dating and the revised guidance will be issued for a short 4 week consultation.
The 2017 regulations are easier to follow, include far more detail, and can be found here.
Key points that should be addressed, given that any holder of a remote or non-remote casino operating licence must already comply with the letter of the law in the new regulations pending the issue of the Commission’s revised guidance:
1. Part 2 Chapter 2 deals with the new requirements to undertake anti-money laundering risk assessments and then to use that risk assessment to review and up-date policies, controls and procedures. This must be documented and available for inspection. It should also be dynamic and kept under review and updated to factor in any changes to the business that have a knock on effect on AML risks. In line with Licence Condition 12 there must be a review of the risk assessment on at least an annual basis and the results and recommendations should be reviewed by senior management. The operator’s risk assessment must take into account the five risk factors and the Gambling Commission’s AML risk assessment (see regulation 18(2)), which was published in March 2017 and can be found here.
2. Regulation 21 sets out the Internal Controls that must be applied. These include requirements to:
- Screen relevant employees before their appointments and also on an on-going basis
- Appoint a member of the board of directors or senior manager as the officer responsible for compliance with the regulations (this can be the person with overall responsibility for regulatory compliance)
- Establish an independent audit function to assess the effectiveness of policies, controls and procedures which have been adopted to comply with the regulations
- Appoint an individual in the firm as the nominated officer (this could be the member of the senior management team responsible for regulatory compliance but cannot be an external person), as made clear in section 5 of the Commission’s current guidance. This can be the same individual as the person with overall responsibility for AML and regulatory compliance
- Inform the Gambling Commission of the identity of the person responsible for compliance with the regulations and nominated officer within 14 days of appointment (we have asked the Commission to confirm how this is to be done)
3. For those operators that apply the 2000 euro threshold, the regulations change the method of calculation to exclude previous winnings (churn) and the Commission will provide more detailed guidance on this change in due course.
4. The holders of remote casino operating licences are reminded that they are required to carry out enhanced customer due diligence; Regulation 33 sets out the requirements for enhanced due diligence and enhanced ongoing monitoring, given that operator failings in complying with the requirements have resulted in regulatory action being taken against several major operators. Enhanced due diligence includes a requirement to have in place systems that will check whether a customer is a Politically Exposed Person (PEP) or a family member or close associate of a PEP. The operator must have specific controls in place should it propose to allow PEPs to be customers. It is also necessary to ensure that systems and controls check against official records listing individuals subject to sanctions to avoid breaching financial restrictions legislation. Both matters are dealt with in more detail in section 6 of the Commission’s guidance to casino operators. Casino customers should be regularly screened against both sanctions and PEPS databases, as part of on-going enhanced due diligence, and not just after the first deposit.
5. Where operators are part of a group there are additional new obligations (and we understand that there are equivalent provisions in all EEA national legislation) for a relevant parent undertaking to ensure that its policies, controls and procedures apply to all subsidiaries outside the UK, and also any branches established outside the UK that are carrying out activities for the UK licensed entity. This must have regard to the national legislation in any EEA that is required to implement the 4th Directive. Where subsidiaries and branches are established in jurisdictions where the AML laws are not as strict as the UK, the parent undertaking must ensure that the subsidiaries and branches apply controls and measures equivalent to those required by the 4th Directive, as far as permitted under the law of the third country. Where the law of a third country does not permit the application of equivalent measures, it must inform the Gambling Commission and take additional measures to manage the risk of money laundering and terrorist financing effectively.
6. Lastly, the Commission and Remote Gambling Association have reminded operators in recent months that where the holders of remote casino licences operate a single wallet across different products, those other products are brought within the controls under the regulations even though, for the time being, the UK Treasury has not extended the application of the regulations to additional gambling services. The main reason for this has been the implementation of Licence Condition 12, requiring all gambling operators (B2C and B2B) to undertake a money laundering risk assessment of their business, which must be repeated at least annually.
The Commission has been tasked by the Treasury with ensuring that its licensees have carried out adequate AML risk assessments and the Commission have recently confirmed that most of the risk assessments they have reviewed to date have been inadequate and have therefore announced a thematic review of AML controls applied by operators during Q2 2017, in time for the FATF’s inspection of the UK in 2018. Fifteen gambling operators licensed by the Gambling Commission are to be selected for a visit by FATF, as part of the inspection of the UK’s AML controls.
If you need any assistance with either undertaking your risk assessment or wish our team, who have specific expertise in this field, to review the assessment you were required to undertake by 31st October 2016, please do not hesitate to contact Andrew Tait or Alex Ktorides. When in-house in Gibraltar Andrew devised a methodology for an adequate and compliant risk assessment, and undertook his own company’s AML risk assessment. Likewise if you have any questions on the application of the new regulations please do not hesitate to contact one of us.
Contact the Author
My key specialisms are in betting & gaming, liquor licensing and regulatory law. In addition to the licensing of premises I advise clients on the UK’s remote gaming licensing regime and assist them with their applications to the UK Gambling Commission. I assist clients with a variety of regulatory compliance issues and apply my operational experience, gained in-house at the Rank Group, advising on all aspects of gambling regulation, including anti money laundering and social responsibility policies. I am a member of the International Masters of Gaming Law and the Society for the Study of Gambling.