The Gaming Industry’s Changing AML/CDD Compliance Landscape

David Norman
Senior Partner, Gambling Integrity Consultants

Below are audience questions and our presenter’s answers from the FinScan webinar, “The Gaming Industry’s Changing AML/CDD Compliance Landscape”.

Click here if you would like to watch the webinar.

Legal disclaimer: The information contained in this question and answer is the professional opinion of the presenter and not that of Innovative Systems, Inc. and is provided to you for informational purposes only. The information is provided to you “AS IS” and does not constitute legal advice. Innovative does not provide legal advice and Innovative is not a law firm. Innovative makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information. You should not rely on this information without independent verification and consultation of your own legal counsel.

How does customer verification differ between a land-based casino and an online operator?

Online, this takes place when the customer signs up. Historically, the verification process wouldn’t necessarily occur until certain thresholds were reached. Today, an earlier intervention at entry is generally required, establishing not only identity but also location, and initiating a micro risk assessment considering PEP status, Sanctions, and adverse media/open source. Potentially, this could be many customers over a short period of time, particularly around a major event. This can be exacerbated in jurisdictions where identity has to be verified prior to any transaction (deposit) taking place, due to the non-face-to-face nature of the business. Experience has shown that a substantial number of people will register with a gaming operator but actually not get to depositing into the gaming account. High volume requires technology such as 3rd party software to be effective and efficient.

In the land-based operations (casinos), the approach possibly is less intense. Customers are permitted to enter and conduct low level gaming but would have to establish a business relationship should they hit certain thresholds. A face-to-face relationship is not necessarily risk free – different risks present themselves and require customer due diligence. Generally speaking, the legitimate customer wants this to be a quick process with minimal intrusion. Equally, the casino will want to provide such a service whilst still conducting a risk assessment of the customer similar to that performed online. Whilst the threshold approach may be effective in some jurisdictions, there are others that may see the business relationship requiring CDD on entry. Equally, it could be determined that a business relationship commences when someone signs up for a loyalty card – they may not have even crossed the threshold or gambled.

Realistically, how can you justify that the average person can afford to gamble?

A very pertinent question. Is this a step towards the nanny state? In the UK, this is the direction of travel and I highlight it for this reason and the potential that other regulators may follow. I suggest the gaming industry should consider risk assessing this – as affordability is now on the agenda – and have innovative approaches as opposed to being dictated to, as in the past with other issues. The industry needs to be proactive as opposed to saying it can’t happen. If the industry is not proactive in addressing ‘affordability’ it potentially hands the initiative to the regulator (maybe the UK Gambling Commission in this case) who could drive unrealistic standards/expectations, leaving the industry to catch up painfully. We need to move to the ‘Future’ part in the evolution of the CDD landscape in my slide from the webinar because, in my view, the negative outlook of the industry in such compliance conundrums doesn’t work.

What are your views regarding drop/loss? The Gambling Commission insists on looking at drop and doesn’t take into account ‘churn money’.

Prior to the Money Laundering Regulations 2017, the Gambling Commission did take into account ‘churn money’. I don’t have specific reasons why they changed their ‘interpretation’ to drop other than, I believe, strong lobbying from the industry to change their view.

It was considered an issue by the industry that someone, for example, starting with €1000 and winning €500 which is then reinvested, unfairly triggers the €2000 threshold much sooner, creating unnecessary due diligence compared to using just drop as the threshold amount. This is also more consistent with other regulated jurisdictions and, perhaps, not penalizing UK-based customers unfairly. It could be argued that using churn reduces the risk of collusion to move funds, but the considered opinion is that this risk is low.

What takes precedent, AML or Problem Gambling screening?

Neither. Both are just as important from the holistic approach and an Ethical Compliance approach as I spoke about. It could be argued that AML has legal requirement and consequences, whereas problem gambling is more from a regulatory view point. As you saw from the theme of the webinar and case studies, you can’t hide from either. The Regulator will take action on either and hold the operator to account for both AML and problem gambling failings. The only approach is a holistic approach.

You made a great point regarding problem gambling and AML being similar. You also talked about the rise of online gaming. What is the need to, and challenge of, identifying who is actually gaming on the other end of the online transaction? As in, has the mobile device/connection been taken over by someone other than the person who signed up for the account?

You are quite right that through many third party verification systems we can ‘verify’ that the identity exists, but we are now moving to digital verification technology to establish that the person is who they actually claim to be.

Smart phones, for example, give us the ability to compare a photographic identity document with a ‘selfie’ photo. Sophisticated systems can check the photo ID for authenticity and compare against the ‘selfie’. This is still developing technology; however, we must always appreciate the resourcefulness of criminals to get around this. No system is ever going to be foolproof to identity theft.

Do you believe that businesses that own and operate video gaming terminals are just as risky as online gambling customers and casinos? I should also note that the gaming businesses own and operate the ATMs that pay out the individual playing/gambling on the gaming terminal, not the owner of the establishment, e.g., a bar. The owner of the establishment does not have access to fill/refill the ATM, so the risk is not the same as what it would be for a business that owns/operates a private ATM.

I accept your second point. These are complex partnerships, but it doesn’t detract from the responsibility of the owner of the establishment to manage the AML/SR (Social Responsibility) risks.

Do you see social media playing any part in CDD?

As I tried to explain in the webinar, social media has a role to play. People post things without thinking of potential consequences. For example, they may outline their employment history. Is this consistent with their level of gambling? Some may make an innocuous comment such as, “I can’t afford to go on holiday this year.” Is this consistent with their level of gambling? Are there red flags here that should be acted upon?

A number of operators are interrogating social media, but confidentiality prevents us from giving detail. That said, you clearly see the potential, so I would suggest following your experience and using social media as a tool.

Can a casino verify the identity of a client that belongs to the military by asking for and scanning the military ID?

I cannot give a specific answer due to privacy laws in each jurisdiction. If the information (a military list) is publicly available, then yes. I would suggest that for security reasons, in most jurisdictions such information may be protected.

How often do you check for Politically Exposed Persons (PEPs)? How is this managed?

Clearly, this should happen at the very least at onboarding. Every individual’s status can change. A person can become a PEP overnight— for example, through a national election process. Equally, a current PEP can lose their status. Although it can be argued once a PEP always a PEP, there are others who say such status should only last for 12 months if status changes. This is another debate and probably comes down to individual operator’s risk assessment.

I suggest an operator’s (casino) active customer list should be reviewed for PEPs at a minimum of once a month.

What is an active customer? Again, open to each operator’s risk assessment. From experience, I would suggest any customer who has had any kind of transaction (deposit, withdrawal, or betting transaction) over the last 6 months. Customers can be fickle and can move from operator to operator (casino to casino) over a period of time. Therefore, to keep checking someone who is not active with ‘you’ is a waste of time. Equally, not checking someone who is active is high risk.

Records and information need to be current, and failing to do so opens up operators to regulatory risk. To manage this, you need an effective case management system to store positive and negative information, with the ability to update as changes happen and crucially, to be able to provide audit and evidence actions should the necessity arise, such as FinScan provides.

I appreciate that the speaker came from the gaming sector. I am wondering what your take is on the pari-mutuel wagering environment and the continued nature of anonymous player activities at race tracks? How would you recommend that this landscape migrate to identification of players?

I don’t have too much experience of pari-mutuel betting but appreciate the risks of on-course betting which, in the UK at least, is mainly cash based.

The identification of punters (players) in this environment has been the subject of debate and I think was instrumental in the UK for the AML/CTF Regulation to stop at Casinos. It was debated prior to the 2017 Money Laundering Regulations being implemented in the UK with the option of including All Types of Gambling coming within the Regulations. When considered in light of the UK AML/CTF National Risk Assessment and strong lobbying from that sector, course betting was considered low risk. There is a substantial fear that to include this form of gambling and the CDD (Customer Due Diligence) requirements it would bring would be unmanageable and kill the industry.