Compliance in the wake of William Hill failures
Yesterday the Gambling Commission handed down a £6.2 million fine to William Hill Group having identified “systemic” failings in the bookmakers anti-money laundering and social responsibility procedures. David Clifton of Clifton Davies Consultancy offers a point by point guide to the basic compliance rules these failings relate to.
The new year started for all British licensed remote casino operators with a letter from the Gambling Commission, heralding a crackdown on the sector for anti-money laundering (AML) and social responsibility (SR) failings.
The letter followed a spate of compliance assessment activity by the regulator with a particular focus on remote casino operators’ approach to AML and customer interaction. The very same issues that have been highlighted in the 20 February public statement on “systemic” failings in these areas by a William Hill Group company resulting in a £6.2 million penalty.
The Commission’s letter talked about investigations into 17 remote operators, five of which might yet face formal licence reviews. This could mean very hefty fines or, worse still, revocation of their operating licences. Holders of personal management licences potentially face regulatory action too.
What is surprising in light of the publicity given to other operators’ failings since as long ago as 2013, is that the failings identified by the Commission relate to the basics set out in the Licence Conditions and Codes of Practice (LCCP), the Money Laundering Regulations (MLR), the Proceeds of Crime Act (POCA), the Terrorism Act and the Gambling Commission’s own AML and POCA guidance documents.
Some commentators jumped – wrongly in my view – to the conclusion that the failings arose from a lack of compliance with the new MLR that came into force on 26 June 2017, implementing the requirements of the fourth EU Anti-Money Laundering Directive.
However, the failings identified by the Commission in its letter are far more fundamental than that and display a lack of appreciation of the basic AML principles laid down by POCA (that came into force 15 years ago) and the MLR 2007.
Back to basics
So, if you received that letter, here are the absolute basics of what you should be doing.
The starting point is LCCP condition 12.1.1 that requires holders of all operating licences (except gaming machine technical and gambling software licences) to conduct and keep up to date a documented assessment of the money laundering (ML) and terrorist financing risks (TFR) to their business.
The Commission’s above-mentioned AML guidance for casinos:
• spells out what to take into account when preparing such a risk assessment, including higher-risk countries, customers, transactions (including means of payment) and products; and
• recommends that the risk assessment should identify known or suspected threats or vulnerabilities, analyse the nature, sources, likelihood, impact and consequences of the identified risk factors and evaluate them to determine priorities for addressing them.
The next stage is to design and effectively implement policies, procedures and controls that are tailored to manage and mitigate the identified risks to your own business, so just copying another operator’s documents won’t work.
Both the risk assessment and management of all internal controls should be overseen by senior management and must then be kept under constant review and revised appropriately to ensure they remain effective.
The above represent the foundations for ensuring that a proper risk-based approach is adopted. The building bricks placed on top of those foundations must also be risk-focused, including risk-profiling your customers.
You should ensure that, in addition to the required customer due diligence identification and verification requirements at the €2,000 threshold, you conduct enhanced customer due diligence on a risk-sensitive basis for those who are higher-risk, so that more information about them is collected, including an understanding of where their funds and wealth have come from.
“Source of wealth” describes how a customer acquired their total wealth. “Source of funds” refers to the activity that generated the funds used for gambling, for example salary payments or sale proceeds and the means through which the customer’s funds were transferred.
Supporting evidence could be by way of payslips, bank statements, recently filed business accounts, documents confirming the source as sale proceeds of a house or shares, a bequest under a will or a win from gambling activities.
Establishing this sort of information enables you to assess whether the customer’s level and type of gambling is consistent with your knowledge of them and their risk profile.
Cover all bases
Don’t rely solely on open source information. Ask the customer to provide written evidence of their circumstances to an appropriate extent, taking into account the ML risk they pose. In some very high-risk cases, you may need input from third party due diligence providers. However, don’t rely solely on such providers either.
Then ask yourself these three questions:
1. Does what I know about this customer justify their level of spend and play?
2. Can I justify that what I know, or have been told, about this customer is actually true?
3. Based on what I know, and the evidence I have to support it, can I justify maintaining a relationship with this customer?
If the answer to any of those questions is no, investigate further or, in the continued absence of the required evidence, terminate your relationship with the customer and consider whether to make a suspicious activity report (SAR) to the National Crime Agency.
The risk posed by each individual customer and their level of gambling will also determine the frequency and depth of scrutiny you must apply to the ongoing monitoring of their gambling transactions so you can detect any activity that may be suspicious, warranting interaction with the customer.
It is crucial that you train staff not only on the law, but on how to recognise and deal with transactions, activities or situations that might be related to ML or TFR, and when a SAR should be submitted.
Remember that such suspicions could be an indicator of problem gambling. You must also ensure that proper use is made of all relevant sources of information in order to identify potential concerns of this type and to interact with the customer accordingly in accordance with LCCP SR code provision 18.104.22.168(e), as well ensuring that you are able to adequately evidence all customer interactions.
The William Hill public statement focuses on these very same issues. It suggests that operators should pose to themselves five questions (I have added one of my own – number 5 below):
1. Are you ensuring you have effective AML and SR procedures and are staff following these procedures?
2. Are you sure you have adequate staff numbers to carry out these procedures?
3. Are you checking that you know higher risk customers’ source of wealth?
4. Are you using all information (including customer spend levels) to identify potential instances of problem gambling?
5. When you identify such instances, do you interact with the customer in a proactive and effective manner to reduce the risk of gambling-related harm?
6. Are you keeping accurate records of these interactions?
Finally, to avoid the same mistake made by some of those now facing a Gambling Commission investigation, make sure that the person appointed as money laundering reporting officer (MLRO) has independence within the business, free access to all relevant information, sufficient resources (including appropriate employees, technology and training) and a full understanding of UK ML law.
If you do that, at least you won’t be making the same mistake made by some of those now facing a Gambling Commission investigation, whose MLROs were unable to answer the simplest questions posed by the Commission’s officers.
Author's note: By necessity, this brief article skates across the surface of what is a complex and challenging set of requirements so, if in any doubt, make sure you seek specialist advice.