Written by Carlos Moio with contributions from Caroline Le Blanc
Online gambling is a relatively recent, but fast-growing, subset of the gambling industry. Although precise numbers are difficult to determine, industry sources have estimated the market to be worth about USD 58.9 billion (bn) in 2019, compared to an estimate of USD 41.8 bn in 2016. An industry report published in May 2020 estimated that the market would reach a value of USD 92 bn in 2023.1,2 These estimates were published before the impact of the COVID-19 pandemic could be measured; however, an October 2020 industry report claimed that the poker industry had seen a growth of 43% since April 2020.3 In the UK, from March to October 2020 the online gambling market grew with a month-on-month increase of 29% in gross gaming yield.4 This shows that the pandemic has not adversely affected the upwards trend in online gambling seen prior to 2020. Even with the pandemic’s restrictive measures in place through at least the first quarter of 2021, the industry is on course to continue growing. Furthermore, newly developed remote gambling habits are likely to remain with players who may have been hesitant to try online gambling prior to the pandemic.
The growth of online gambling has been accompanied and made possible by significant technological advances. These developments, in a similar fashion to many other industries, have not been immediately followed by a regulatory framework. In fact, regulators have taken a while to catch up. In 2009, a Financial Action Task Force (FATF) report on the gambling industry suggested that there was still a significant gap in understanding regional money laundering risks and vulnerabilities specific to online casinos and online gaming. As the FATF tends to act as a global precursor to national regulations due to its role in setting global standards, its lack of focus on online gambling meant that global standards took a while to develop. This means that regulations have been playing catch up for the last 10 years, with some countries still lacking a regulatory framework for online gambling or even outright banning it. To a large extent, once the online gambling industry becomes regulated in a jurisdiction, the focus across the world in terms of compliance and anti-money laundering (AML) regulations has been to translate regulations applicable to physical gambling to the online domains. The technical issues brought by internet-based gambling can provide extra layers of complexity, but online gambling operators are required to respond mainly to the same questions asked of their physical counterparts:
- Do you have enough details on your customers to minimize the risk of dirty money?
- Are these transactions normal gambling behavior?
- How can you implement an operational and pragmatic AML framework?
Gambling operators that fail to implement a robust system to answer these questions have faced significant fines, particularly in the UK where regulators have been extremely active in this field. In 2020, the Gambling Commission fined an online gambling operator GBP 11.6 million (mn) to settle various compliance shortcomings. The company allegedly allowed a customer to deposit GBP 8 mn and lose half of that amount during a four-year period without conducting adequate source of funds checks.5 Despite the relatively large fines involved in these penalties, some politicians want regulators to impose harsher penalties on offending operators. According to a report published in July 2020 by the British House of Lords on the social and economic impact of the gambling industry, the Gambling Commission’s penalties “do not make a sufficient impact on large corporations.” The report called on the Gambling Commission to be more diligent in withdrawing operators’ licences in severe cases.6 In January 2020, the Swedish Gambling Authority asked the Swedish Ministry of Finance to increase the maximum penalty for gambling operators found in violation of the Money Laundering Act. The regulator claimed that the GBP 1 mn maximum penalty was too low to have an impact on the large gambling companies operating in the country and suggested an amount between GBP 1 mn and 10% of the company’s revenue in the preceding financial year.
So, how can gambling operators prepare themselves for increased enforcement pressure?
The starting point is for an institution to demonstrate to national competent authorities that it uses a risk-based approach and that policies and procedures are in place and align with the AML risks of the gaming industry as well as those specific to the gaming enterprise (e.g. physical or digital, etc.).
Initial risk factors can include the player’s country of origin, the type of product offered by the operator, the payment methods allowed, etc. This risk-based framework combined with a player’s initial risk rating will determine the due diligence level required. Once the initial due diligence process has been completed, a player’s initial risk rating would be reassessed to see whether an adjustment needs to be made and therefore requiring additional information. This could happen in instances where one or a series of red flags become apparent such as unclear source of funds or reluctance to provide information.
Due diligence is an interactive and ongoing process, meaning that know your customer (KYC) reviews should be performed at the outset before accepting a player and subsequently reviewed throughout the relationship, with an emphasis on assessing risk factors such as a player’s behavior and amounts played.
An operational, pragmatic and structured approach to KYC can help in better risk management while meeting the regulatory requirements. Compliance should not be a “ticking the box” exercise but rather an agile process to maximize the time and money spent on due diligence and minimize risks.
Know Your Customer
Now, more than ever, it is important to know the individual who is gambling. Do they hold positions that are prone to bribery and embezzlement? Do they have a significant footprint in a high-risk jurisdiction? Is there enough public evidence to suggest the money being gambled is from legitimate means, or might it be the proceed of criminal activity?
With the change to the online world, gambling operations can adapt the traditional methods used to gather information about their customers. Memberships, player clubs and other techniques used by gambling operators to target premium customers have been ways for them to get some basic information such as name, phone number and address that can be used for basic due diligence. The move to the online space facilitates the collection of this data. An online registration form with required fields tailored to operators’ regulatory needs can easily address the data collection requirements. In physical casinos the interpersonal aspect was important to alleviate a feeling of intrusion to customers, but personal information collection forms are a standard process online.
In light of this, regulators have set criteria for gambling operators to conduct basic KYC and enhanced due diligence checks on their players. A basic KYC procedure should allow gambling operators to identify if a customer is a PEP or has connections to a high-risk third country via global databases. According to the European Union’s latest AML regulations, these categories of consumers are high-risk and require enhanced due diligence to be conducted. PEPs pose a risk as political positions provide access influence and decision-making powers not available to most people. A public official or someone closely associated to one are therefore classed as high-risk. On the other hand, individuals with connections to high-risk third countries also pose a higher risk as the countries in which they operate might be affected by terrorism activity or have ineffective AML systems, making their wealth a source of concern. Individuals flagged as sanctioned by any sanctions authority such as the United Nations or the U.S. are also a particular concern for gambling operators.
Enhanced Due Diligence
KYC checks provide a first layer of protection for operators, but they are often required to go deeper and conduct enhanced due diligence on their customers.
Regulators expect operators to have strong frameworks to conduct enhanced due diligence on their customers and can issue fines when that is not the case. In 2020, the UK Gambling Commission fined a gambling operator GBP 3 mn over a number of regulatory failings, including its failure to ensure that adequate enhanced due diligence had been conducted on customers who were flagged as higher risk.8 It would be impractical for operators to conduct enhanced due diligence on all of its customers, and that is not what regulators require. Instead, regulators promote a risk-based approach for operators. This means that operators need to decide based on the KYC information acquired as well as the customer’s behavior whether they need to perform enhanced due diligence. Additionally, this does not mean that once a subject has been screened the operator’s responsibility is done. The framework established by operators has to establish processes that enable ongoing monitoring of its high-risk customers through periodical reviews.
An enhanced due diligence process should be able to establish a clearer picture of an individual’s background. For example, corporate records can potentially confirm or put into a question whether a customer is a director of a company as listed on their LinkedIn profile. Perhaps news reports indicate that the person gambling a significant amount of money has been found guilty of embezzlement in another country.
The following are the main areas of information that enhanced due diligence should aim to provide in order to complement a basic KYC layer.
Source of Wealth: The vast majority of gamblers will have derived their wealth from their professional activity. Corporate directorships and shareholding positions provide helpful insight into an individual’s financial capacity. A senior executive at a high-revenue company elicits fewer questions than a recent graduate gambling with large amounts of money. Professional activity, if confirmed via public records, can also provide gambling operators an overall picture of an individual’s geographical footprint and connections. One might, for example, discover that the player spending large is a former lead accountant at a foreign company marred by corruption. Additional information such as property records, references to inheritances and family fortunes, remuneration and shareholding value can be employed in a risk-based approach to qualify how likely the money being gambled is from illegal proceeds. Different jurisdictions allow for different levels of detail, which in itself can be considered a risk element in well-defined due diligence processes.
Criminal Activity: Basic due diligence should allow operators to confirm an individual’s identity and, depending on the databases used, might flag major instances of criminal activity. However, there is only so much information these databases can process and list. More extensive due diligence is likely to be required to unearth criminal and relevant civil litigation, especially if the player originates from a foreign country.
The points raised above focus on a customer’s characteristics. However, regulators are also concerned about certain activities while gambling, such as large amounts being gambled by players or complex or unusual transactions. To this effect, regulators have established thresholds for a certain amount transacted that requires operators to conduct enhanced KYC checks. Complex or unusual transactions and transactions that serve no apparent economic or legal purpose are also indicated by some regulators as potential red flags that should elicit enhanced due diligence checks. Why? The fact is that although unusual transactions on their own can raise a red flag, further context is required to determine if the money being gambled is problematic. It is important to note that suspicious transaction monitoring is data-driven and often calibrated to err on the side of caution, which can lead to false positives. The context provided by human analysis is thus an important element in distinguishing between false positives and genuine red flags. Enhanced due diligence might uncover information that suggests the individual has no evident source of the funds they are gambling. Or perhaps, a transaction analysis points to a change in gambling habits that occurred around the same time the player became director at a new company, a company where research uncovers some concerning information. By establishing the information discussed in the previous section, operators can use these enhanced due diligence checks to make a judgement as to whether there are reasons to believe the money being gambled has illicit origins.
Imagine, for example, a scheme in which criminals recruit a handful of individuals on the more obscure corners of the internet to launder proceeds of crime via gambling. It should be noted that although gambling can result in losses to those involved, it is important to remember that criminals who launder money are prepared to lose some of the nominal value of the dirty money. Gambling operators might be able to identify strange patterns of betting behavior and decide to run some checks on a specific group of players. At a first glance, there is little connecting information, but a more extensive investigation might yield points of contact between the players. Evidently, enhanced due diligence and the framework established by gambling operators are not a panacea to money laundering, but they do provide a fighting chance and should limit operator’s exposure to risks.
It is essential for online gambling operators to establish a framework that minimizes the risks posed by online players in order to help the fight against money laundering and protect themselves against costly fines issued by regulators.
For assistance with your company’s particular compliance needs, please contact one of our specialists.