Andrew Tait Consultant Solicitor
Betting & Gaming sector update November 2018
Like many other EU jurisdictions, Malta was late in updating its AML regulations in line with the 4th Money Laundering Directive, only doing so on the 21 December 2017, well past the 26 June 2017 deadline. However it’s not alone with countries such as Ireland still without updated regulations.
Malta is under pressure by the EU Commission to improve its AML monitoring and enforcement regime, following alleged lack of oversight of the financial services sector by its Supervisory Authority the Financial Intelligence Analysis Unit (FIAU). It now needs to put in place changes to bolster the way it assesses compliance with AML requirements by all entities regulated by it, including in the gaming sector. The gaming sector has no separate Supervisory Authority and unlike in Great Britain the Gambling Regulator, the MGA, is not the authority responsible for ensuring compliance with and enforcement of AML regulations. Failure to meet acceptable standards will lead to enforcement by the FIAU. Such standards and guidelines are very helpfully set out in its updated consultation document for implementing procedures (published 30 October 2018). The industry has a chance to give feedback on these changes before the end of the year, facilitated by a training session set up by the FIAU on the December 18 and 19.
The FIAU can be commended for drafting such a detailed and helpful guide which gives illustrations and typographies to act as a practical framework on which operators can build their processes and procedures. There is also insight into how outsourcing of AML functions should be dealt with and where the line exists between the obligation to have effective internal oversight under the control of a senior and suitably qualified person (the money laundering reporting officer) and the ability to have third parties implement some of the AML procedures. Outsourcing can for instance be applied to risk assessments, implementation of CDD and record keeping procedures.
Penalties are also detailed, rising to a maximum of €1M or 2x the value of the derived benefit. If failings stem from individuals then they may also be the subject of such enforcement proceedings. In conclusion Malta operators will need to review their AML controls to ensure that they not only meet the high standards set out in FIAU’s consultation document but also if they have British customers, they will need to take on board the Gambling Commission’s guidance and learnings from published failings of its licensees.
British Gambling Commission AML Enforcement
Over the past year, since the announcement by the Gambling Commission that it was starting an AML thematic review in June 2017, with follow up announcements that 17 investigations were ongoing and 5 possible licence reviews, we have waited with baited breathe. In the meantime there have been AML regulatory settlements for William Hill (Feb 18: £6.2M), 32 Red (June 18: £2.2M) and PaddyPower/Betfair (Oct 18: £2.2M), however these all related to older failures with some stemming back to 2014.
On the 13 November the Commission announced that it had imposed a financial penalty of £7.1M on Daub Alderney Limited (“Daub Alderney”), the remote bingo and casino operating arm of Stride Gaming plc. This case seems to be the Commission’s first major enforcement decision stemming from its AML thematic review. The seriousness of the case is highlighted by the fact that Commission officers referred the matter to the Regulatory Panel for a decision. The significant failings in the case are quite staggering, from absence of any AML Risk Assessment, lack of a Money Laundering Reporting Officer, inadequate risk-sensitive policies, inadequate CDD and record keeping, lack of enhanced CDD and on-going monitoring of customers, holes in the staff training programme, inadequate resources for the compliance function, no monitoring of problem gambling and associated AML risks. The list extends into social responsibility territory with failures in their self-exclusion processes. Daub Alderney has also received a formal warning and will also be required by specific conditions attached to its licence, both being further formal regulatory sanctions in addition to the fine, to:
- Appoint an appropriately qualified MLRO and be able to evidence to the Commission that the individual undertakes annual refresher training;
- Ensure that all PML holders, senior management and key “control” staff undertake outsourced AML training and refresher training annually;
- Engage external auditors whose appointment and terms of reference must be agreed with the Commission to audit the internal reviews undertaken of the effectiveness and implementation of AML and SR policies;
- Report the outcome of the review and resultant action plan to the Commission.
So substantial further costs will be incurred by the licensee. The key learning from this very serious case is to get procedures and controls right in the first place. The time and costs invested in securing full compliance will save far greater pain later
This case also shows that the Commission has indeed switched from its previous default of enforcing by means of regulatory settlement, to use of its full armoury of regulatory sanctions and a financial penalty imposed at levels far higher than simply neutralising any financial benefit from AML failings. The £7.1M fine will have a huge impact on this operator whose last declared EBITDA from 2016 year end was £12.2M The fact that it is a regulatory penalty will mean that there will be a public record in the sanctions register
We can expect the outcome of other licence reviews in the near future, given that this is the first
Changes to open and fair provisions of LCCP
Although they may appear relatively minor, significant changes have been made to several licence conditions and codes of practice (“LCCP”) Following the CMA investigation into the industry. These took effect on 31 October 2018.
Licence Condition 7.1.1 – Fair and Transparent Terms and Practices
This has been revised to incorporate specific requirements of the Consumer Rights Act 2015. The result is that licensees must now “ensure” rather than “satisfy themselves” that the terms on which gambling is offered and any related consumer notices are not unfair. Such terms and notices must meet the requirements as to transparency in the CRA – that they are clear and unambiguous and expressed in plain and intelligible language. An additional requirement is that licensees must ensure that they comply with the Consumer Protection from Unfair Trading Regulations 2008. We will be happy to assist in reviewing terms and conditions.
SR Code 1.1.2 – Responsibility for Third Parties
This has been revised to replace the text “licensees are responsible” with “licensees must take responsibility” for the actions of third parties with whom they contract for the provision of any aspect of the licensed activity and is now a stand-alone provision. An addition has also been made to the requirements for contractual terms with third parties to add a specific requirement that contracts provide for termination where affiliates have breached advertising codes of practice.
Code 5.1.6 – Compliance with Advertising Codes
This has now been upgraded to a Social Responsibility Code, which gives the Commission the ability to take its own enforcement action in the event of a breach of CAP or BCAP Codes. There is now a mandatory requirement to undertake marketing in a socially responsible manner and to comply with the codes by the substitution of the word “should” by “must”. The additional requirement to follow any relevant industry codes is now a separate ordinary code (5.1.8).
New SR Code 5.1.9 – Other Marketing Requirements
This replaces the former SR Code 5.1.7 – Rewards and Bonuses. Paragraph 1 has been simplified to remove specific reference to “free bet offers”. Paragraph 2 has been revised to remove reference to the requirement to comply with CAP and BCAP Codes (now in the separate SR Code above). The revised requirement now reads “licensees must ensure that all significant conditions which apply to marketing incentives are provided transparently and prominently. Licensees must present the significant conditions at the point of sale of any promotion and on any advertising in any medium for that marketing incentive.” Where there are limitations on space the advertising medium must indicate that significant conditions apply and they must be displayed in full no more than one click away.
New SR Code 5.1.11 – Direct Marketing Consent
Following the implementation of GDPR and concerns over unsolicited marketing by affiliates, a new SR Code has been introduced to require that consumers must not be contacted with direct electronic marketing without their informed and specific consent. Licensees must be able to provide evidence of that consent. Each time a customer is contacted in pursuance of that consent they must be provided with the opportunity to withdraw it [i.e. that consent]. If withdrawn the licensee must ensure the customer is not contacted again, as soon as practicable.
SR Code 6.1 – Complaints and Disputes
The code has been significantly re-drafted and the Commission has also issued separate guidance on complaints and disputes handling and reporting requirements (click here to see it). Paragraph 1 has been re-written as follows:
“Licensees must put into effect appropriate policies for accepting and handling customer complaints and disputes in a timely, fair, open and transparent manner.” Specific reference is then made to completing the initial stage of the process within 8 weeks of receiving the complaint. There is a new requirement to ensure that customers are provided with clear and accessible information on how to make a complaint, the complaint procedures, timescales for responding and escalation procedures. There is an on-going obligation to ensure that complaints policies are implemented and kept under review and revised to ensure they remain effective and reflect any guidance issued by the Commission.
Significant changes to age verification and customer identification requirements for remote operators
In its review of online gambling paper published in March 2018 the Gambling Commission set out details of two specific policy reviews and consultations on significant proposed revisions to the licence conditions and codes of practice (“LCCP”) for remote operators. Both are linked to a combination of data provided in regulatory returns and the string of enforcement casework over the past 3 years.
The policy reviews by the Commission have highlighted the need for significant changes to age verification and KYC requirements for remote operators. The Commission is currently consulting (closes 27 November) on changes to be implemented in April 2019 to require:
- That remote licensees verify the age of all customers before they can deposit money or gamble and before they can access play for free versions of games on their websites;
- That remote licensees verify more information about their customers at an earlier stage in their business relationship. This will include, at a later date, introducing initial mandatory limits on customer spend which can only be changed once the licensee has verified further information about the customer.
The specific changes to take effect in April 2019 will be:
Age Verification (removal of the 72 hour rule and reliance on credit card deposits)
The Commission makes clear in its consultation document on proposed changes to age verification that the current “72 hour rule” is permitting customers to deposit money and gamble during that window before they are age verified. It has also identified weaknesses in the current requirement that where the funds are deposited by credit card only random checks need to be undertaken on age verification. The consultation document makes clear that information from regulatory returns shows that there has been a significant increase in the number of customers using remote facilities where the operator has challenged a customer and the customer has been unable to prove their age. Although accepting that not all of the 56,584 such customers for the period October 2016 to September 2017 would have been underage, the Commission references the significant improvements in technology and age verification in the 10 years since the social responsibility code was originally introduced in 2007
The Commission proposes to revise SR Code 3.2.11 to require that remote operators must implement procedures to verify the age of a customer before the customer is able to
- Deposit any funds into their account;
- Access any free to play versions of gambling games that the licensee may make available; or
- Gamble with the licensee using either their own money or any free bet or bonus
The paragraphs of the current SR Code dealing with the deposit by means of credit card and other means are to be removed meaning that every customer has to be age verified at the outset on registration. The Commission cites the fact that there is now (since the point of consumption regime was implemented in November 2014) a level playing field for all operators accessing the UK market in justification
Customer Identity Verification
The Commission proposes that the new requirements will be introduced as a licence condition rather than a social responsibility code given that the proposals are aimed at supporting all three licensing objectives. The new licence condition will require that all remote licensees:
- Must obtain and verify information to verify the identity of a customer before they are permitted to gamble. This must include at least the customer’s name, address, date of birth and email address;
- Before permitting a customer to deposit funds, they must be informed of the forms of identity documents or other information which they may be required to provide, the circumstances in which such information may be required and the form and manner in which it should be provided;
- Ensure that the name associated with any payment method matches the verified identity of the same customer (i.e. to ensure it is their card);
- Take reasonable steps to ensure that the information held remains accurate and is up-dated where required.
In addition to the lessons learned from enforcement casework over the past 3 years the Commission cites that many complaints filed with it relate to the fact that operators treat customers unfairly by only requesting this information at the withdrawal stage when in their view the information should be obtained at the beginning of the business relationship to ensure full transparency.
The Commission also made clear in the consultation that although the new requirements will only technically apply from April 2019 to new customers, their expectation is that all existing customers will have been verified to the same standards, thereby requiring retrospective application of the new obligations to all customers before implementation in April 2019.
Given that these revisions will require significant upgrades to operating controls it is imperative that all remote operators should be engaging with their third party verification suppliers to ensure that they have built these enhanced requirements into their product specifications. The new “customer identification” requirements will only “pass” if customers are on the electoral roll, as third party checks will only confirm name and address details if that is the case (i.e. that the customer is on the electoral roll). This will also provide confirmation that the individual is over 18 but not proof of their date of birth and their email address. Both of these elements may require the upload of a passport and proof of an email account before the new licence condition on customer identification will be met.
Related news & insights
Events / SiGMA - The World's Gaming Festival
08-11-2021 / Gaming & Betting
Meet our gaming experts at SiGMA, Malta from 15-19 November
News / Report on Government's independent review of the collapse of Football Index is published
23-09-2021 / Gaming & Betting
The report on the government’s independent review of the collapse of Football Index was published yesterday. It is important to note that the terms of reference did not include an assessment of how the product should have been regulated, nor was the purpose of the review to apportion blame for the company’s collapse.
News / ACAMS Money Laundering: To Combat Gambling Epidemic, Britain Turns to AML Rulebook
23-09-2021 / Gaming & Betting
“Both the frequency and severity of enforcement is increasing all the time,” Tait told ACAMS moneylaundering.com. “Operators are struggling to keep pace with … new regulations and rigid enforcement, and having to divert more and more resources to try and stem the tide.”
Events / KPMG Gibraltar eSummit 2021
21-09-2021 / Gaming & Betting
Join the team at the KPMG Gibraltar eSummit
Insights / Remote customer interaction
09-11-2020 / Gaming & Betting
The Gambling Commission has published a consultation for the remote sector to improve standards of Customer Interaction.
Insights / Getting The Deal Through - Fintech 2021
23-10-2020 / Gaming & Betting
See the latest edition of Lexology ‘Getting The Deal Through - Fintech 2021’, in which our industry experts, Peter Howitt, David Borge and Kunal Budhrani, discuss the Fintech landscape and initiatives in Gibraltar.