The Gambling Commission has published new requirements for identifying at-risk customers and interacting with them to minimise the risk of gambling harms. The new provisions (in the form of a new SR Code 3.4.3) will come into effect on 12 September 2022, and apply to remote B2C operators, but the consultation response is also critical reading for B2B platform and technology providers.
As heralded in the initial consultation, published in November 2020, the measures mark a clear shift towards a more prescriptive approach, and the Commission has indicated that in June 2022, it will also publish guidance (which must be taken into account) to assist operators with implementing the new rules.
Critical questions around "affordability", and in particular what thresholds the Commission may set and what actions will be required at those thresholds, are not addressed and will be additional requirements following a further consultation, expected to be launched this summer. We expect to see the Government's soon-to-be published White Paper in the Gambling Act Review to propose a legislative framework for "affordability", but the detail will be determined by that consultation. The language used to describe the risks the Commission will seek to address may be instructive: unaffordable binge gambling, significant unaffordable losses over time, and identification of consumers who are particularly financially vulnerable.
While this may reassure the industry that the Commission has taken heed of the calls for proportionality, privacy and freedom of choice, it is clear that "affordability" requirements will soon follow. This, along with the more prescriptive approach to customer interaction taken by the Commission in the revised LCCP provisions (and guidance), may at least provide clarity and consistency across the regulated industry, which currently does not exist.
The revised LCCP provisions on customer interaction are themselves significant. They are a more prescriptive evolution of the current Customer Interaction guidance and also focus on identification, interaction and evaluation. Further emphasis is placed on indicators of harm (although we await the guidance for more detail), monitoring accounts from the point of opening, timely action when potential harm is identified, and tailored interactions, which reflect the nature and seriousness of indicators of harm. Additional emphasis is also placed on the obligation to evaluate the effectiveness not only of interactions, but of the overall approach the operator takes to customer interaction.
The more prescriptive approach will be welcomed by some, and the regulatory risks addressed are obviously important. Our biggest concern, however, is whether some of the new provisions are drafted in a way which makes them very difficult (even impossible) to comply with fully. In this regard, the devil is likely to be in the detail of the Commission's upcoming customer interaction guidance in June 2022, and in the planned further consultation on issues relating to affordability requirements.
Overview of new key requirements
In its consultation response document, the Commission agrees with the majority of respondents that the overall process of customer interaction must allow operators to tailor their responses to individual risks; however the aim of the new provisions is to place far greater emphasis on the actions which operators take as a result of identifying indicators of harm. In doing so, the new SR Code provisions set out some minimum requirements under, broadly, the three main areas of its existing focus, being 1) identifying customers at risk of harm; 2) the requirement to "act" (rather than "interact"); and 3) evaluation. New SR Code 3.4.3 is set out in full below along with a short summary of the key new provisions in each area.
New SR Code 3.4.3
Social responsibility code provision 3.4.3 (with effect from 12 September 2022)
All remote licences, except any remote lottery licence the holder of which does not provide facilities for participation in instant win or high frequency lotteries, remote gaming machine technical, gambling software, host, ancillary remote bingo, ancillary remote casino, ancillary remote betting, remote betting intermediary (trading rooms only) and remote general betting limited licences.
- Licensees must implement effective customer interaction systems and processes in a way which minimises the risk of customers experiencing harms associated with gambling. These systems and processes must embed the three elements of customer interaction – identify, act and evaluate – and which reflect that customer interaction is an ongoing process as explained in the Commission’s guidance (see paragraph 2).
- Licensees must take into account the Commission’s guidance on customer interaction for remote operators as published and revised from time to time (‘the Guidance’).
- Licensees must consider the factors that might make a customer more vulnerable to experiencing gambling harms and implement systems and processes to take appropriate and timely action where indicators of vulnerability are identified. Licensees must take account of the Commission’s approach to vulnerability as set out in the Commission’s Guidance.
- Licensees must have in place effective systems and processes to monitor customer activity to identify harm or potential harm associated with gambling, from the point when an account is opened.
- Licensees must use a range of indicators relevant to their customer and the nature of the gambling facilities provided in order to identify harm or potential harm associated with gambling. These must include:
- customer spend
- patterns of spend
- time spent gambling
- gambling behaviour indicators
- customer-led contact
- use of gambling management tools
- account indicators.
- In accordance with SR Code Provision 1.1.2, licensees are responsible for ensuring compliance with the requirements. In particular, if the licensee contracts with third party business-to-business providers to offer any aspect of the licensee’s business related to the licensed activities, the licensee is responsible for ensuring that systems and processes are in place to monitor the activity on the account for each of the indicators in paragraph 5 (a-g) and in a timely way as set out in paragraphs 7 and 8.
- A licensee’s systems and processes for customer interaction must flag indicators of risk of harm in a timely manner for manual intervention, and feed into automated processes as required by paragraph 11.
- Licensees must take appropriate action in a timely manner when they have identified the risk of harm.
- Licensees must tailor the type of action they take based on the number and level of indicators of harm exhibited. This must include, but not be limited to, systems and processes which deliver:
- tailored action at lower levels of indicators of harm which seeks to minimise future harm
- increasing action where earlier stages have not had the impact required
- strong or stronger action as the immediate next step in cases where that is appropriate, rather than increasing action gradually
- reducing or preventing marketing or the take-up of new bonus offers where appropriate
- ending the business relationship where necessary.
- Licensees must prevent marketing and the take up of new bonus offers where strong indicators of harm, as defined within the licensee’s processes, have been identified.
- Licensees must ensure that strong indicators of harm, as defined within the licensee’s processes, are acted on in a timely manner by implementing automated processes. Where such automated processes are applied, the licensee must manually review their operation in each individual customer’s case and the licensee must allow the customer the opportunity to contest any automated decision which affects them.
- Licensees must implement processes to understand the impact of individual interactions and actions on a customer’s behaviour, the continued risk of harm and therefore whether and, if so, what further action is needed.
- Licensees must take all reasonable steps to evaluate the effectiveness of their overall approach, for example by trialling and measuring impact, and be able to demonstrate to the Commission the outcomes of their evaluation.
- Licensees must take account of problem gambling rates for the relevant gambling activity as published by the Commission, in order to check whether the number of customer interactions is, at a minimum, in line with this level. For the avoidance of doubt, this provision is not intended to mandate the outcome of those customer interactions.
Identifying customers at risk of harm
New SR Code 3.4.3(5) provides for a range of "core" indicators of harm which must be monitored (as a minimum), and which (under 3.4.3(4)) will require monitoring from the point of account opening. Those core indicators are:
- Customer spend
- Patterns of spend
- Time spent gambling
- Gambling behaviour indicators
- Customer-led contact
- Use of gambling management tools
- Account indicators
The Commission emphasised that this list now includes 'time spent gambling', but notes that it will not set specific time thresholds for different products, leaving operators to implement time indicators that are suitable for their business. Indeed, the drafting of the new LCCP provision makes clear that the indicators must be relevant to an operator's customers and the nature of the gambling facilities provided.
The consultation response document also emphasises that the requirement to monitor customer accounts from the point of account opening means an operator should be able to identify "unusual and risky" patterns of behaviour from account opening, and that it would not be appropriate for operators to wait until they have information about a customer's typical behaviour in order to do so.
The way in which this more prescriptive approach will be implemented by operators in practice may depend on whether the upcoming guidance from the Commission gives an indication of its expectations as to the trigger points and thresholds to be used within these indicators – particularly at, and in the period immediately following, the point of account opening.
A significant new provision in SR Code 3.4.3(3) is the requirement for operators to:
"consider the factors that might make a customer more vulnerable to experiencing gambling harms and implement systems and processes to take appropriate and timely action where indicators of vulnerability are identified."
While the existing customer interaction guidance expects operators to consider the factors that might make customers more vulnerable and ensure staff ask questions when there are potential signs of vulnerability, this new provision goes further in requiring operators to do so, and to take appropriate and timely action where indicators of vulnerability are identified. The Commission has clarified in its consultation response that whilst operators do need to implement systems which allow indicators of vulnerability to be acted on, "this does not mean that all customers would be required to be screened for vulnerabilities, as this may be intrusive for customers and disproportionate". Different types of vulnerabilities that operators should consider are set out in the existing customer interaction guidance (and these may be supplemented in the new guidance).
The Commission has also included a provision (3.4.3(6)) emphasising the effect of existing SR Code 1.1.2, under which operators are responsible for ensuring compliance with the new requirements in circumstances where it contracts with third party B2B providers. The Commission emphasises that "the operator must always understand a customer's gambling position" and that "it is not sufficient to only be aware when a customer returns from using gambling products/games with a third-party provider".
Requirement to act
The Commission notes that many operators have a consistent format for interacting with customers that follows the same process and steps, regardless of the number or severity of the risk indicators involved. It goes on to note that operators often start with an early form of action, such as an email – and that while emails are part of the toolkit available to operators, an email is not in and of itself appropriate for all indicators of harm.
The Commission has therefore drafted new SR Code 3.4.3(8) and (9), which provide that operators are required to take action in a "timely manner" when the risk of harm has been identified, and that the type of action taken must be tailored to the number and level of indicators of harm exhibited. This must include (but not be limited to):
- tailored action at lower levels of indicators of harm which seeks to minimise future harm;
- increasing action where earlier stages have not had the impact required;
- strong or stronger action as the immediate next step in cases where that is appropriate, rather than increasing action gradually;
- reducing or preventing marketing or the take-up of new bonus offers where appropriate; and
- ending the business relationship where necessary.
SR Code 3.4.3(11) further provides that where strong indicators of harm are identified, automated processes must be implemented; automated decisions must also be manually reviewed by the operator in each customer's case; and operators must allow customers to contest any automated decision which affects them. 3.4.3(10) also provides that marketing and new bonus offers must be stopped where there are strong indicators of harm.
The requirement to review all automated decisions which affect a customer appears to go beyond the requirements of Article 22 of UK GDPR (which only envisages that individuals should have the right to contest decisions which are based solely on automated processing; it does not also contemplate that all automated decisions must also be manually reviewed, even if the affected individual does not contest it). The Commission has not explained how its approach is proportionate or consistent with UK GDPR.
It would also appear that the relatively common practice of using automated messages and emails where a customer is initially flagged as being 'at risk' is unlikely to meet the new requirements except in very limited circumstances, because of the requirement for "tailored action" at lower levels of indicators of harm, and that automated processes must be implemented where there is a heightened risk of harm.
To implement these requirements is likely to mean a significant increase in the resources dedicated to customer interaction for many operators. We await the Commission's guidance in June as to the type of tailored action it might expect, and the types of automated processes it expects operators to implement in response to 'strong' indicators of harm, but these are likely to include the imposition of limits and/or blocks. While the Commission states that its guidance will include what it considers to be 'timely and tailored' action, and will support operators in setting 'strong' indicators of harm, it also makes clear that it wishes to avoid a 'tick box' approach by operators. As such, it may be that the actions to be taken under the new SR Code provisions are left in large part to an individual operator's judgement based on its own customers and business.
Evaluation of effectiveness
The new SR Code provisions relating to evaluation largely echo the existing customer interaction guidance, requiring operators to understand the impact of individual interactions and the effectiveness of their overall approach to interactions – and importantly, to maintain records of evaluation processes in order to demonstrate the outcome of such processes to the Commission.
However, in a break from the existing guidance, new SR Code 3.4.3(14) also requires operators to:
"take into account of problem gambling rates for the relevant gambling activity as published by the Commission, in order to check whether the number of customer interactions is, at a minimum, in line with this level. For the avoidance of doubt, this provision is not intended to mandate the outcome of those customer interactions."
The Commission opines in the consultation response that, "[a]s the purpose of customer interaction is to identify customers at risk of harm, it is manifestly a failure if the numbers of customers being identified is lower than the problem gambling rates for the products." It is difficult to see how an individual operator can be expected in all cases to identify a number of at-risk customers that matches, "at a minimum", the problem gambling rates published by the Commission, particularly given that the published rates themselves are based on data collected from survey respondents (being only a small sample of the gambling population). It remains to be seen how the Commission will approach this provision in terms of its own expectations and enforcement, and there may be some assistance in this regard in the guidance to be published in June.
As we have said, we have concerns that a number of the provisions in new SR Code 3.4.3 may be difficult to comply with to the satisfaction of the Commission. In particular, despite the move to a more prescriptive approach, the Commission has opted to leave key decisions to the operator, and we can envisage continued scope for disagreement between licensees and Commission officials as to whether compliance has been achieved. By way of example, interaction systems and processes must minimise the risk of customers experiencing harm (rather than merely "reduce" or mitigate"). Also, there is likely to be debate around the licensee's judgement as to what is "timely" and "appropriate". The upcoming guidance to be published by the Commission in June will inform decision making in this regard, but with a view to future compliance assessments, licensees should consider carefully and record the rationale for their approach to customer interactions, as well as their evaluation of the effectiveness of that approach.