Results

National Lottery Commission

05/15/2019 | Press release | Distributed by Public on 05/15/2019 00:03

Widespread regulator action results in further £4.5m in penalties for online gambling sector

Four gambling businesses are to pay a total of £4.5m in penalty packages as part of the Gambling Commission's ongoing investigation into the online casino sector.

InTouch Games Limited will pay £2.2m, Betit Operations Limited will pay £1.4m, MT Secure Trade will pay £700,000 and BestBet Limited will pay a total of £230,972.

The penalty packages relate to the businesses failings to put in place effective safeguards to prevent money laundering and keep consumers safe from gambling harm.

The penalty packages form part of an ongoing investigation into the online casino sector. Over the last 18 months the regulator has conducted assessments of, or engaged with, 123 online operators - and of the 45 told to submit an action plan to raise standards 38 have already showed signs of improvement. A further 34 were compliant with standards expected by the Commission or had minor issues which have been, or are in the process of being, remedied.

Since the investigation began five operators have surrendered their licence and can no longer transact with consumers in Britain. In November 2018 imposed nearly £14m in penalties on three companies as result of their failings to put in place effective safeguards to prevent money laundering and keep consumers safe from gambling-related harm.

Richard Watson, Gambling Commission Executive Director, said: 'We have been working hard to raise standards in the online industry to ensure that gambling is crime-free and that the one in five people in Britain who gamble online every month can do so safely.

'But our work will not stop here. As a regulator, we will continue to set and enforce standards that the industry must comply with to protect consumers.

'We expect operators to know their customers and to ask the right questions to make sure they meet their anti-money laundering and social responsibility obligations.'

Read InTouch Games Limited public statement

Read Betit Operations Limited public statement

Read MT Secure Trade public statement

Read BestBet Limited public statement

Notes to editors

  1. More information about how we regulate the gambling industry.
  2. Useful statistics on the gambling industry.
  3. Our approach to enforcement.
  4. Journalists can contact our press office on 0121 230 6700 or email: [email protected]

Following a section 116 review that commenced on 16 April 2018, the Commission determined that InTouch Games Limited failed to comply with the following conditions attached to its operating licence:

  • Anti-money laundering - breaches of:
    • Licence condition 12.1.1(1) - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing.
    • Licence condition 12.1.1(2) and 12.1.1(3) - Having regard to the risk assessment, licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing, and such policies, procedures and controls are implemented effectively, kept under review and revised appropriately.
  • Customer Interaction - Failure to comply with Social Responsibility Code Provision (SRCP) 3.4.1. Compliance with a SRCP is a condition of the licence by virtue of section 82(1) of the Gambling Act 2005.

Operators are expected to consider the issues here and review their own practices to identify and implement improvements in respect of the management of their customers.

Executive summary

The Gambling Commission (the Commission) has completed an investigation which identified weaknesses in InTouch Games Limited's (ITG) anti-money laundering and social responsibility controls.

On 16 April 2018 the Commission gave ITG notice that we were commencing a review of its operating licence. We commenced a review under section 116(2) of the Gambling Act 2005 (the Act) because we:

  • had reason to suspect that activities may have been carried on in purported reliance on the licence but not in accordance with a condition of the licence (section 116(2)(a) of the Act), and
  • suspected that the Licensee may be unsuitable to carry on the licensed activities (section 116(2)(c)(i) of the Act).

The licence review followed a compliance assessment (the Assessment) focussed on the measures that a remote gambling operator should have in place to address the prevention of money laundering and terrorist financing and compliance with related licence conditions. In carrying out the Assessment, Commission officials identified action that needed to be taken in respect of social responsibility code failures.

The identified failings raised significant concerns about the effectiveness of ITG's management and mitigation of risks to the licensing objectives in place at the time of the Assessment (August 2017). ITG acknowledged its shortcomings at an early stage.

In line with our Statement of principles for licensing and regulation, ITG will make a payment of £2,200,000 in lieu of a financial penalty. A breakdown of the regulatory settlement is set out below.

Findings

1. Breaches of licence condition 12.1.1(1) (Anti-money laundering) - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing

Licence condition 12.1.1(1) came into effect from 31 October 2016 and requires an operator to assess the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic, or any other material changes, and in any event reviewed at least annually.

An appropriate risk assessment allows operators to identify risks relevant to their business, including the risks associated with the customers they transact with, and to conduct effective customer due diligence based on this assessment, among other things.

The Licensee acknowledged that, whilst it did have individual policies concerning anti-money laundering (AML) risk in place, it did not, as at the time of the Assessment, have an appropriate AML risk assessment in place.

The Licensee's AML risk assessment and risk analysis indicated:

  • An over reliance on deposits via the banking system / absence of cash in the business as reducing the money laundering risk.
  • That money laundering risk was considered from an industry-wide perspective, where it placed itself as low risk compared to other remote casinos, rather than an assessment of the risk of money laundering within its own business.
  • A degree of complacency in that it was a low risk business, rather than acknowledge that the casino sector is a high risk of money laundering.
  • That criminal spend was not considered as a risk in the business.

The Licensee supplied a copy of an updated version of its AML risk assessment where several risk ratings had been modified. However, the rationale for these changes was not evident.

2. Breaches of licence condition 12.1.1(2) and 12.1.1(3) - Licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing, and such policies, procedures and controls must be implemented effectively, kept under review and revised appropriately

We found that ITG failed to establish and maintain appropriate risk-sensitive policies, procedures and controls relating to the management of its customers (including the monitoring and management of compliance with such policies and procedures) to prevent money laundering and terrorist financing, as required by licence conditions 12.1.1.2 and 12.1.1.3, and contrary to the requirements of regulation 19 of the Money Laundering, Terrorist Financing and Transfer of Funds (information on the Payer) Regulations 2017 (the 2017 Regulations).

We found that ITG:

  • had inappropriate procedures and controls in place. Neither the Money Laundering Reporting Officer (MLRO), or the Deputy MLRO, were confident in the accuracy of the MLRO report. ITG has since confirmed, following a review, that all Suspicious Activity Reports (SAR) whether internal or submitted, are accurately recorded in the report.
  • was not recording the rationale for decisions taken on employee reports to the MLRO (internal SARs ). This should occur as an appropriate control in the prevention of money laundering or terrorist financing.
  • was unable to demonstrate competency with the SAR reporting regime. ITG agreed that the MLRO was unsuitable for the role, did not have any previous AML or risk management experience and had received only limited internal training with no external training or qualifications.

Following the Assessment, ITG instructed a third party to review its AML processes, including dip sampling of SAR decision making.

The MLRO was removed from the role and a new MLRO and deputy MLRO was appointed.

We also found that:

  • monitoring was not used to determine risk as required. Information on customer spend was held, but not used to inform AML processes.
  • no evidence that high risk customers were being identified, checked and / or monitored, with customer due diligence only being performed to confirm identity.
  • source of wealth / source of funds were not considered because the financial trigger to do so was set too high for the business model. As a result, a customer's level of play was not assessed in line with their known wealth.
  • when we asked ITG to provide details of the customer about whom most was known, the Licensee only related their stated occupation - there was no proof of income and the customer's word had been taken at face value.
  • within the accounts examined, there was no evidence of source of wealth being established over and above open source checks. There was no evidence of interactions with customers requiring them to submit evidence of wealth.
  • enhanced customer due diligence financial triggers that were in place were not appropriate when compared to average customer spend and would exclude most players, so did not reduce the risk of money laundering. No player had ever hit the trigger, so no customer had been asked to provide source of wealth. The thresholds were artificially high and even when triggered, no significant checks were conducted, they were very basic and not intrusive - limited open source checks were not supported by requests to customers, and the information was not at a reliable depth to provide assurance. The MLRO did not have input into the levels of these triggers and could not provide a rationale as to why they were set at that level.
  • policies, procedures and controls did not take account guidance published by the Commission - The prevention of money laundering and combating the financing of terrorism - guidance for remote and non-remote casinos - for example enhanced due diligence, ongoing monitoring, politically exposed persons and SAR reporting.

The Licensee accepts that the financial levels at which some checks were applied were inappropriate, in that they did not capture high-depositing clients, for whom source of funds / wealth checks should have occurred.

Following the initial meeting, the Licensee implemented revised financial triggers. Once these triggers were applied retrospectively to existing players, a number required enhanced due diligence and source of wealth / source of funds enquiries were made. These accounts were either closed or subject to ongoing monitoring.

The Licensee has also implemented a system which analyses information such as deposit amounts, credit card use over multiple accounts and large withdrawals, and then produces reports for the MLRO, VIP or Payment Risk teams to review.

Their job descriptions, as well as Compliances', have been reviewed to include their role in AML and responsible gambling processes within them. ITG has also employed more skilled professionals with significant experience to its AML and Responsible Gambling teams, and has invested heavily in training.

ITG took further steps to remedy the issues by instructing a third-party auditor to conduct a detailed audit of the business in 2018 and conduct further AML focused audits on a quarterly basis.

3. Failure to comply Social Responsibility code provision 3.4.1 - Customer Interaction. Compliance with a social responsibility code is a condition of the operating licence, by virtue of section 82(1) of the Act

Licensees must put into effect policies and procedures for customer interaction when they have concerns that a customer's behaviour may indicate problem gambling. This must include specific provisions in relation to customers designated by the Licensee as 'high value', 'VIP' or equivalent.

Officials found ITG was in breach of SRCP 3.4.1 as there were significant limitations in its ability to proactively identify and mitigate risk. This manifested itself in terms of resource, systems and controls.

ITG did not have a customer interaction policy in place as required between 6 October 2008 until 16 June 2018.

Failings included the Licensee not querying one 'VIP' customer's spending rising from £200 a month to £10,000 a month. This increase in play should have been considered as a behaviour which may warrant an interaction, in accordance with SRCP 3.4.1(b) and (e).

ITG has since invested heavily in developing a Customer Intervention Policy with support from GamCare. A revised Responsible Gambling Policy was also issued in June 2018, to be reviewed annually, and new processes were introduced such as automated flags, which have improved the efficiency of customer interaction.

ITG has also invested heavily in external training for key personnel in the organisation, including the Specialist Certificate in Money Laundering Risk in Betting and Gaming. Further, ITG has become a member of the Remote Gambling Association.

Good practice

We consider that this case provides valuable learning for remote (online) and non-remote gambling operators. They should consider the following questions to address the issues identified in this case:

  • Do you conduct appropriate assessments of the risks of money laundering and terrorist financing for your businesses? Do you implement policies, procedures and controls which manage the identified risks effectively?
  • Do you have effective measures for customer due diligence, the ongoing monitoring of customers, enhanced customer due diligence and enhanced ongoing monitoring? Are these measures sufficiently risk-focused and include the risk profiling of customers for these purposes?
  • Are you adequately evidencing customer interactions?
  • Do you have policies and procedures in place which make specific provision for making use of all relevant sources of information where you have concerns that a customer's behaviour may indicate problem gambling? Are you putting into effect such policies and procedures?
  • Are your customer interaction policies and procedures effective? Are you alert to the risk various customers bring? Are commercial considerations overriding customer protections?
  • Are you providing your staff with appropriate training to ensure that they are aware of the law relating to money laundering and terrorist financing, and how to recognise and deal with transactions, activities or situations which may be related to money laundering or terrorist financing?

Useful guidance

How to comply with your anti-money laundering responsibilities

Social responsibility

Regulatory settlement

The regulatory settlement package in this case consists of:

a) a payment in lieu of a financial penalty of £2,200,000 which will go to a gambling harm related charity to address the risk of harmful gambling,

b) an agreement to publication of a statement of facts by the Commission, and

c) a payment of £14,565 towards the Commission's costs.

ITG has undertaken a review of all of its policies and continue to develop and improve its AML and Responsible Gambling policies, taking into consideration Commission guidance, previous public statements and lessons learned.

ITG has appointed a new MLRO and Deputy MLRO; both of whom have completed and passed the ICA International Advanced Certificate in AML with the MLRO achieving the grade of distinction.

Conclusion

Our investigation found, and ITG accepts, that there were weaknesses in its systems relating to how it managed its customers for AML and social responsibility purposes.

In determining the appropriate outcome, we took the following factors into account:

  • There were significant licence condition breaches for a sustained period of time. This impacted the licensing objectives - particularly preventing gambling from being used to support crime, and protecting vulnerable persons from being harmed or exploited by gambling.
  • Proactive and timely action taken by ITG to address all the issues identified.
  • ITG being open and transparent from the outset of the investigation.
  • A demonstrable insight into the seriousness of the failings.
  • The nature of the Licensee, including its financial resources.

We consider that this case provides valuable learning for remote operators, who should review the conditions of their licences in light of these matters and take a critical approach to assessing their own policies and procedures.

Regulatory settlement

  • Anti-money laundering - breaches of:

Licence condition 12.1.1.1 - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing.

Licence condition 12.1.1.2 and 12.1.1.3 - Having regard to the risk assessment, licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing and such policies, procedures and controls are implemented effectively, kept under review and revised appropriately.

Licence condition 12.1.2 - Anti-money laundering measures for operators based in foreign jurisdictions requiring compliance with Money Laundering Regulations 2007 (superseded in 2017).

  • Customer interaction - Failure to comply with code of practice - Social Responsibility Code 3.4.1. Compliance with a social responsibility code of practice is a condition of the operating licence by virtue of section 82(1) of the Act.

  • Personal management offices - Breach of licence condition 1.2.1 requiring operators to ensure specified management offices are held by personal management licence (PML) holders.

  • Key event notification - Breach of licence condition 15.2.1 relating to key event notifications in respect of reporting changes in the holders of management offices.

Operators are expected to consider the issues here and review their own practices to identify and implement improvements in respect of the management of customers.

Executive summary

Following a compliance assessment, the Gambling Commission identified weaknesses in Betit Operations Limited's (Betit) anti-money laundering and social responsibility controls. The assessment (carried out in September 2017) also identified failures relating to requirements around personal management offices and key event notifications.

Betit acknowledged its shortcomings at an early stage and accepted that it failed to act in accordance with the Licence Conditions and Codes of Practice (LCCP), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the 2017 Regulations) and our guidance on money laundering and terrorist financing.

In line with our Statement of principles for licensing and regulation, Betit will make a payment in lieu of a financial penalty of £1,400,000. A breakdown of the regulatory settlement is set out below.

Findings

1. Breaches of licence condition 12.1.1.1 (Anti-money laundering) - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing

Licence condition 12.1.1.1 requires operators to conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic, or any other material changes, and in any event reviewed at least annually.

The assessment found that Betit did not have a formal money laundering and terrorist financing (MLTF) risk assessment in place. Whilst it is accepted that Betit had carried out risk assessments in March 2017 and November 2017, these assessments were not considered sufficient to meet the requirements of licence condition 12.1.1.1 or the 2017 Regulations.

2. Breaches of licence condition 12.1.1.2 and 12.1.1.3 - Licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing and such policies, procedures and controls must be implemented effectively, kept under review and revised appropriately

At the time of the assessment we found that Betit had failed to establish and maintain appropriate risk-sensitive policies, procedures and controls relating to the management of its customers (including monitoring and management of compliance with such policies and procedures) to prevent money laundering and terrorist financing, as required by licence conditions 12.1.1.2, 12.1.1.3 and contrary to Regulation 19 of the 2017 Regulations.

We found Betit:

  • only conducted basic checks on all customers, which consisted of a soft credit check and verification of a customer's name and address. This approach to customer due diligence (CDD) is inadequate as it means that the same approach is adopted for all customers irrespective of the level of risk attributed to the customer.

  • Betit's AML policies did not sufficiently define situations where enhanced customer due diligence (EDD) and enhanced ongoing monitoring would be required.

Betit acknowledged that improvement to their policies, procedures and controls was required in order to better cater for a risk-based approach. Betit has taken steps to remedy the issue and has implemented new policies, procedures and controls.

3. Breaches of licence condition 12.1.2.1 - Anti-money laundering measures for operators based in foreign jurisdictions

Betit was required to put in place and implement the measures described in Parts 2 and 3 of the Money Laundering Regulations 2007 (superseded by the 2017 Regulations) insofar as they relate to casinos.

The investigation found that Betit failed:

  • to apply EDD on a risk-sensitive basis, contrary to Regulation 14 of the 2007 Regulations and Regulation 33 of the 2017 Regulations

  • to apply customer due diligence measures in relation to any transaction that amounted to €2000 or more (Regulation 27(5) and (6) of the 2017 Regulations). Betit's procedures included seven triggers, which it acknowledged were not sufficiently risk-sensitive and Betit implemented a withdrawal threshold figure of €2,300 for customer due diligence, based on Maltese rules and regulations, rather than a threshold of €2,000 in deposits or withdrawals.

  • to have in place appropriate risk-management systems and procedures to determine whether a customer is a politically exposed person (PEP) or a family member or known associate of a PEP, as required by Regulation 35 of the 2017 Regulations.

  • to have an appropriate MLTF risk assessment in place in accordance with Regulation 19 of the 2017 Regulations.

4. Failure to comply with Social Responsibility code 3.4.1 - Customer Interaction. Compliance with a Social responsibility code is a condition of the operating licence by virtue of section 82(1) of the Act

Licensees must put into effect policies and procedures for customer interaction when they have concerns that a customer's behaviour may indicate problem gambling. SR code provision 3.4.1.1.e requires specific provision for making use of all relevant sources of information to ensure effective decision making, and to guide and deliver effective customer interaction, including in particular:

(i) provision to identify at risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling; this should be by reference to indicators such as time or money spent.

(ii) specific provision in relation to customer designated by the Licensee as 'high value', 'VIP' or equivalent.

We found that at the time of the assessment (September 2017) Betit was in breach of 3.4.1.1 by failing to put into effect its own policies and procedures for customer interaction.

For example, Customer A deposited £67,078 over a 23-day period. It was established that Betit's internal flags had not been triggered in-line with its 'Responsible Gaming Guide'. The customer made numerous bonus requests to the VIP Account Manager over a 16-day period, with each request accompanied by details of the loss of money.

Customer B deposited £110,500 over a 24-hour period and Betit failed to conduct appropriate customer interaction. Instead the operator gave the customer VIP status, offered him cash bonuses and raised his deposit limits despite the bank having declined transactions from two of his cards. Betit has voluntarily refunded this customer.

5. Breach of Licence condition 1.2.1 - operating licence holders must ensure specified management offices must be held by personal management licence (PML) holders and; Breach of licence condition 15.2.1 - Key event reporting

Licensees must ensure that individuals who occupy the management offices specified in respect of the licensed activities hold a personal licence with the Commission authorising the performance of the functions of that office.

In addition, it is a requirement of licence condition 15.2.1.8.b to notify the Commission of the appointment of a person, or a person ceasing to occupy such a management position.

For a thirteen-month period from December 2016 to January 2018, an appropriately qualified individual occupying the information technology function did not hold a personal management licence. We had not been notified by way of a key event that the person previously occupying that position had left the company.

Useful guidance

How to comply with your anti-money laundering responsibilities

Social responsibility

Regulatory settlement

The regulatory settlement package consists of:

a) A payment in lieu of a financial penalty of £1,400,000 which will go to National Responsible Gambling Strategy project(s) to pay for research and treatment as determined appropriate to address the risk of harmful gambling.

b) The voluntary placing of additional conditions on Betit's' operating licence under section 117(1)(b) of the Act, requiring the licensee to:

  • Maintain the appointment of an appropriately qualified Money Laundering Reporting Officer (MLRO) who holds a Personal Management Licence (PML), and, in appointing the MLRO, ensure that the individual undertakes annual refresher training in AML and be able to evidence this to the Commission.

  • Ensure that all PML holders, senior management and key control staff undertake outsourced anti-money laundering training. All such staff must undertake outsourced refresher training annually thereafter.

  • Continue its review of the effectiveness and implementation of its AML and social responsibility (SR) policies, procedures and controls. In addition, Betit will engage external auditors, whose appointment and terms of reference must be agreed with us, to sample the reviews that have been carried out so as to provide additional assurance as to the findings.

c) Agree to the publication of a statement of facts by the Commission

d) Payment of £18,732 towards our investigative costs.

Conclusion

Our investigation found, and Betit accepts, that there were weaknesses in its systems relating to how it managed its customers for anti-money laundering and social responsibility purposes.

In determining the appropriate outcome, we took the following factors into account:

  • There were significant licence condition breaches for a sustained period of time. This impacted the licensing objectives - particularly preventing gambling from being used to support crime, and protecting vulnerable persons from being harmed or exploited by gambling

  • Proactive and timely action taken by Betit to address all the issues identified

  • Betit being open and transparent from the outset of the investigation and fully co- operative throughout

  • A demonstrable insight into the seriousness of the failings

  • The nature of the licensee, including their financial resources

Regulatory settlement

  • Anti-money laundering - breaches of:

Licence condition 12.1.1.1 - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing.

Licence condition 12.1.1.2 and 12.1.1.3 - Having regard to the risk assessment, licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing and such policies, procedures and controls are implemented effectively, kept under review and revised appropriately.

Licence condition 12.1.2 - Anti-money laundering measures for operators based in foreign jurisdictions requiring compliance with Money Laundering Regulations 2007 (superseded in 2017).

  • Customer interaction - Failure to comply with code of practice - Social Responsibility Code 3.4.1. Compliance with a social responsibility code of practice is a condition of the operating licence by virtue of section 82(1) of the Act.

  • Key event notification - Breach of licence condition 15.2.1 relating to key event notifications in respect of reporting changes in the holders of management offices.

  • Customer interaction - Failure to act in accordance with a code of practice - Ordinary Code 3.4.2. Operators should keep a record of customer interactions, and where an interaction has been ruled out, the reasons for this.

Operators are expected to consider the issues here and review their own practices to identify and implement improvements in respect of the management of customers.

Executive summary

Following a compliance assessment, the Gambling Commission identified weaknesses in MT SecureTrade Limited's (MTST) anti-money laundering and social responsibility controls. The assessment (carried out in August 2017) also identified failures relating to requirements around key event notifications.

MTST acknowledged its shortcomings at an early stage and accepted that it failed to act in accordance with the Licence Conditions and Codes of Practice (LCCP), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer Regulations 2017 (the 2017 Regulations) and our guidance on money laundering and terrorist financing.

In line with our Statement of principles for licensing and regulation, MTST will make payments in lieu of a financial penalty of £700,000. A breakdown of the regulatory settlement is set out below.

Findings

1. Breaches of licence condition 12.1.1.1 (Anti-money laundering) - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing

Licence condition 12.1.1.1 requires operators to conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic, or any other material changes, and in any event reviewed at least annually.

The assessment found that MTST did not have a formal money laundering and terrorist financing (MLTF) risk assessment in place. Whilst it is accepted that MTST had carried out risk assessments in March 2017, November 2017 and November 2018, these assessments were not considered sufficient to meet the requirements of licence condition 12.1.1.1 or the 2017 Regulations.

2. Breaches of licence condition 12.1.1.2 and 12.1.1.3 - Licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing and such policies, procedures and controls must be implemented effectively, kept under review and revised appropriately

At the time of the assessment we found that MTST had failed to establish and maintain appropriate risk-sensitive policies, procedures and controls relating to the management of its customers (including monitoring and management of compliance with such policies and procedures) to prevent money laundering and terrorist financing, as required by licence conditions 12.1.1.2, 12.1.1.3 and contrary to Regulation 19 of the 2017 Regulations.

We found MTST:

  • only conducted basic checks on all customers, which consisted of a soft credit check and verification of a customer's name and address. This approach to customer due diligence (CDD) is inadequate as it means that the same approach is adopted for all customers irrespective of the level of risk attributed to the customer.

  • MTST's AML policies did not sufficiently define situations where enhanced customer due diligence (EDD) and enhanced ongoing monitoring would be required.

MTST acknowledged that improvement to their policies, procedures and controls was required in order to better cater for a risk-based approach. MTST have taken steps to remedy the issue and have implemented new policies, procedures and controls.

3. Breaches of licence condition 12.1.2.1 - Anti-money laundering measures for operators based in foreign jurisdictions

MTST was required to put in place and implement the measures described in Parts 2 and 3 of the Money Laundering Regulations 2007 (superseded by the 2017 Regulations) insofar as they relate to casinos.

The investigation found that MTST failed to:

  • apply EDD and enhanced ongoing monitoring on a risk-sensitive basis, contrary to Regulation 14 of the 2007 Regulations and Regulation 33 of the 2017 Regulations

  • take appropriate steps to identify and assess the risks of money laundering and terrorist financing, contrary to Regulation 18 of the 2017 Regulations

  • establish and maintain appropriate risk-sensitive policies and procedures, contrary to Regulation 20 of the 2007 Regulations

  • apply customer due diligence measures in relation to any transaction that amounted to €2000 or more (Regulation 27(5) and (6) of the 2017 Regulations). MTST's procedures included seven triggers, which it has acknowledged were not sufficiently risk-sensitive. MTST implemented a withdrawal threshold figure of €2,300 for customer due diligence, based on Maltese rules and regulations, rather than a threshold of €2,000 in deposits or withdrawals

  • have in place appropriate risk-management systems and procedures to determine whether a customer is a politically exposed person (PEP) or a family member or known associate of a PEP, as required by Regulation 35 of the 2017 Regulations

  • have an appropriate MLTF risk assessment in place in accordance with Regulation 19 of the 2017 Regulations.

4. Failure to comply with Social Responsibility code 3.4.1 - Customer Interaction. Compliance with a Social responsibility code is a condition of the operating licence by virtue of section 82(1) of the Act

Licensees must put into effect policies and procedures for customer interaction when they have concerns that a customer's behaviour may indicate problem gambling. SR code provision 3.4.1.1.e requires specific provision for making use of all relevant sources of information to ensure effective decision making, and to guide and deliver effective customer interaction, including in particular:

(i) provision to identify at risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling; this should be by reference to indicators such as time or money spent.

(ii) specific provision in relation to customer designated by the Licensee as 'high value', 'VIP' or equivalent.

We found that at the time of the assessment (August 2017) MTST was in breach of 3.4.1.1 by failing to put into effect its own policies and procedures for customer interaction.

For example, Customer A deposited £134,350 over the course of the business relationship with MTST (March 2017 - August 2017) and withdrew £60,683. It was established that despite the fact that MTST's responsible gambling flags had been triggered i.e. cancelled withdrawals, request to increase daily deposit limit, and deposits made with five different credit cards MTST had failed to identify the customer as high risk and obtain source of funds (SOF). MTST has voluntarily agreed to refund this money back to the individual involved.

Customer B deposited £78,155, during a 10-month period, (September 2015 and June 2016) and withdrew £75,960. Due to the customer not reaching the thresholds in place after migration onto MTST's platform, the Licensee had not conducted customer due diligence (CDD) and no customer interactions had taken place. MTST acknowledged that, under the current policies and procedures they now have in place, this player would have been identified, flagged and subject to a customer risk assessment.

Customer C deposited £38,000 across four of MTST's brands. No customer interaction took place and no source of funds or source of wealth was requested. It has been established that this was stolen money and the customer subsequently pleaded guilty to fraud. As part of the Regulatory Settlement, MTST will divest these funds for the benefit of the victims identified whose money was stolen by Customer C and then spent on gambling.

5. Breach of licence condition 15.2.1 - Key event reporting

Licensees must notify the Commission of the appointment of a person to, or a person ceasing to occupy, a 'key position' which includes the person responsible for the Licensee's anti-money laundering procedures, including suspicious activity reporting.

MTST failed to inform the Commission that a person was no longer carrying out the role of the MLRO and that another person had been appointed, in accordance with licence condition 15.2.1.8(c).

Useful guidance

How to comply with your anti-money laundering responsibilities

Social responsibility

Regulatory settlement

The regulatory settlement package consists of:

a) A payment in lieu of a financial penalty of £592,333 which will go to National Responsible Gambling Strategy project(s) to pay for research and treatment as determined appropriate to address the risk of harmful gambling.

b) Divestment of:

  • £73,667 to Customer A

  • £34,000 for the benefit of Customer C's victims

c) The voluntary placing of additional conditions on MTST's' operating licence under section 117(1)(b) of the Act, requiring the licensee to:

  • Maintain the appointment of an appropriately qualified Money Laundering Reporting Officer (MLRO) who holds a Personal Management Licence (PML), and, in appointing the MLRO, ensure that the individual undertakes annual refresher training in AML and be able to evidence this to the Commission.

  • Ensure that all PML holders, senior management and key control staff undertake outsourced anti-money laundering training. All such staff must undertake outsourced refresher training annually thereafter.

  • Continue its review of the effectiveness and implementation of its AML and social responsibility (SR) policies, procedures and controls. In addition, MTST will engage external auditors - whose appointment and terms of reference must be agreed with us - to sample the reviews that have been carried out to provide additional assurance as to the findings.

d) Agree to the publication of a statement of facts by the Commission

e) Payment of £15,301 towards our investigative costs.

Conclusion

Our investigation found, and MTST accepts, that there were weaknesses in its systems relating to how it managed its customers for anti-money laundering and social responsibility purposes.

In determining the appropriate outcome, we took the following factors into account:

  • There were significant licence condition breaches for a sustained period of time. This impacted the licensing objectives - particularly preventing gambling from being used to support crime, and protecting vulnerable persons from being harmed or exploited by gambling

  • Proactive and timely action taken by MTST to address all the issues identified

  • MTST being open and transparent from the outset of the investigation and fully co- operative throughout

  • A demonstrable insight into the seriousness of the failings

  • The nature of the licensee, including their financial resources

Following a section 116 review that commenced on 16 February 2018, the Commission determined that Bestbet Limited failed to comply with the following conditions attached to its operating licence:

  • Anti-money laundering - breaches of:

Licence condition 12.1.1(1) - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing.

Licence condition 12.1.1(2) and 12.1.1(3) - Having regard to the risk assessment, licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing, and such policies, procedures and controls are implemented effectively, kept under review and revised appropriately.

Licence condition 12.1.2 - Anti-money laundering measures for operators based in foreign jurisdictions requiring compliance with Money Laundering Regulations 2007 (superseded in 2017).

  • Customer interaction - Failure to comply with Social Responsibility Code Provision (SRCP) 3.4.1. Compliance with a SRCP is a condition of the operating licence by virtue of section 82(1) of the Gambling Act 2005 (the Act).

  • Customer interaction - Failed to take into account Ordinary Code Provision 3.4.2.2. Operators should keep a record of customer interactions, and where an interaction has been decided against, the reasons for this.

Operators are expected to consider the issues here and review their own practices to identify and implement improvements in respect of the management of customers.

Executive summary

The Gambling Commission (the Commission) undertook an investigation which identified weaknesses in Bestbet Limited's (Bestbet) anti-money laundering (AML) and social responsibility procedures and controls.

On 16 February 2018, the Commission gave notice to Bestbet that we were commenced a review of its operating licence. We commenced a review under section 116(2) of the Gambling Act 2005 (the Act) because we:

  • had reason to suspect that the activities may have been carried on in in purported reliance on the licence but not in accordance with a condition of the licence (section 116(2)(a) of the Act) and,

  • suspected that the Licensee may be unsuitable to carry on the licensed activities (section 116(2)(c)(i) of the Act).

The licence review followed a compliance assessment that identified weaknesses in Bestbet's AML and social responsibility controls.

Bestbet acknowledged its shortcomings and accepts that it failed to act in accordance with the Licence Conditions and Codes of Practice (LCCP), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the 2017 Regulations) and our guidance on money laundering and terrorist financing.

In line with our Statement of principles for licensing and regulation, Bestbet will pay a financial penalty of £230,972. A breakdown of the penalty is set out below.

Findings

1. Breaches of licence condition 12.1.1(1) (Anti-money laundering) - Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing

Licence condition 12.1.1(1) requires operators to conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic, or any other material changes, and in any event reviewed at least annually.

The compliance assessment found that the Licensee did not have a formal money laundering and terrorist financing risk assessment in place. The Licensee failed to conduct an assessment of the risks of its business being used for money laundering and terrorist financing as required by licence condition 12.1.1(1) and contrary to the requirements of Regulation 18 of the 2017 Regulations.

2. Breaches of licence condition 12.1.1(2) and 12.1.1(3) - Licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing, and such policies, procedures and controls must be implemented effectively, kept under review and revised appropriately

At the time of the assessment, we found that Bestbet had failed to establish and maintain appropriate risk-sensitive policies, procedures and controls relating to the management of its customers (including monitoring and management of compliance with such policies and procedures) to prevent money laundering and terrorist financing, as required by licence conditions 12.1.1(2), 12.1.1(3) and contrary to Regulation 19 of the 2017 Regulations.

We found Bestbet:

  • did not have the required policies and procedures in place, as they were still being drafted and awaiting sign off, and

  • was unable to evidence that it had appropriate policies, procedures and controls to prevent money laundering due to a risk assessment not being in place to identify the actual risk.

Bestbet acknowledged that improvements to its policies, procedures and controls are required to adopt a risk-based approach and will take steps to remedy the issues and implement new policies, procedures and controls. Following the compliance assessment, Bestbet has pro-actively put remedial provisions in place to mitigate the risk to the licensing objectives.

3. Breaches of licence condition 12.1.2(1) - Anti-money laundering measures for operators based in foreign jurisdictions

Bestbet was required to put in place and implement the measures described in Parts 2 and 3 of the Money Laundering Regulations 2007 (superseded by the 2017 Regulations) insofar as they relate to casinos.

The Commission found that Bestbet failed:

  • to take appropriate measures to ensure that relevant employees received training in the law relating to money laundering, contrary to Regulation 24 of the 2017 Regulations.

  • to consistently apply enhanced due diligence and enhanced ongoing monitoring on a risk-sensitive basis, contrary to Regulations 28 and 33 of the 2017 Regulations.

  • to have an appropriate money laundering and terrorist financing risk assessment in place in accordance with Regulation 19 of the 2017 Regulations.

4. Failure to comply with Social Responsibility Code Provision 3.4.1 - Customer Interaction. Compliance with a social responsibility code provision is a condition of the operating licence by virtue of section 82(1) of the Act

Licensees must put into effect policies and procedures for customer interaction when they have concerns that a customer's behaviour may indicate problem gambling. SRCP 3.4.1(1)(e) requires specific provision for making use of all relevant sources of information to ensure effective decision making, and to guide and deliver effective customer interaction, including in particular:

(i) provision to identify at risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling; this should be by reference to indicators such as time or money spent.

(ii) specific provision in relation to customer designated by the Licensee as 'high value', 'VIP' or equivalent.

We found Bestbet in breach of SRCP 3.4.1(1)(e) as:

  • minimal customer interaction had been undertaken on its customers since becoming licensed by the Commission.

  • it had not undertaken customer interaction in a timely manner.

  • it had failed to take into consideration previously issued Commission guidance and the LCCP.

  • at the time of the compliance assessment, it did communicate with its players, but this was often only done at withdrawal stage.

Useful guidance

How to comply with your anti-money laundering responsibilities

Social responsibility

Penalty package

The penalty package consists of:

a) A warning under section 117(1)(a) of the Act in respect of the breaches set out above.

b) A financial penalty of £230,972 under section 121 of the Act - which will be paid into the Consolidated Fund.

c) The imposition of additional conditions on Bestbet's' operating licence under section 117(1)(b) of the Act, requiring the Licensee to:

  • Appoint an appropriately qualified Money Laundering Reporting Officer (MLRO) who holds a Personal Management Licence (PML), and, in appointing the MLRO, ensure that the individual undertakes annual refresher training in anti-money laundering (AML) and be able to evidence this to the Commission.

  • Ensure that all PML holders, senior management and key control staff undertake outsourced AML training. All such staff must undertake outsourced refresher training annually thereafter.

  • Review the effectiveness and implementation of its AML and Social Responsibility policies and procedures, and within six months engage external auditors, whose appointment and terms of reference must be agreed with the Commission to provide additional assurance as to the findings. The Commission requires a summary of the review and subsequent action plan, with timescales and ownership, to implement any recommendations. This must be reported to the Commission within one month of the audit being completed.

d) Payment of £15,000 towards the Commission's costs.

Conclusion

Our investigation found, and Bestbet accepts, that there were weaknesses in its systems relating to how it managed its customers for AML and social responsibility purposes.

In determining the appropriate outcome, we took the following factors into account:

  • There were significant licence condition breaches for a sustained period of time. This impacted the licensing objectives - particularly preventing gambling from being used to support crime, and protecting vulnerable persons from being harmed or exploited by gambling.

  • Proactive and timely action taken by Bestbet to address all the issues identified including ceasing to offer its services to customers based in Great Britain.

  • Bestbet being open and transparent from the outset of the investigation and fully co- operative throughout.

  • A demonstrable insight into the seriousness of the failings.

  • The nature of the Licensee, including their financial resources.

Posted on 15 May 2019