On Thursday 27 June, Niki Stephens, Partner in the Betting and Gaming Group, attended the second ARQ Gaming Compliance Forum 2019. The forum, which is sponsored by Mishcon de Reya LLP, brings together Maltese industry experts and international influencers.
The event was well attended by operators and other industry participants, and began with an insightful presentation by Alexander Mangion, Legal and International Relations Manager at the Malta FIAU.
Alexander outlined the salient obligations on operators in relation to Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing monitoring, and gave practical guidance to operators on how to meet the expectations of the FIAU. Below are some highlights:
- Business Risk Assessments must outline the methodology used, the risks identified and any steps taken in mitigation. BRAs must also be approved by the board and reviewed at least once annually. An annual review may not require changes to be made, but any decision not to make updates should be recorded to demonstrate that the BRA has nonetheless been reviewed and considered.
- Establishing the intended nature of the business relationship is an important part of customer due diligence (which the FIAU recognises is self-evident when a customer registers with an online operator), but the FIAU also expects the operator to establish a profile of the customer and their expected level of activity as part of this process (also recognising that, in taking a risk based approach, the level of SOW checks may vary from customer to customer). For example, for low/medium risk customers a statistical check or check by reference to public salary information may be sufficient, but for high risk customers, SOW documentation will be needed from the customer.
- The obligation to conduct ongoing monitoring arises from the point of registration, not least so that operators can monitor when the €2,000 threshold is met (the point in time when full CDD including verification of identity must be concluded). Again, the FIAU recognises that the level and extent of CDD/EDD will depend on the risk profile of the customer. Any unusual activity during that time may of course trigger SOF checks in relation to the relevant transaction(s). Any winnings withdrawn and re-deposited would count towards the €2,000 threshold and operators must ensure they monitor all accounts held by the customer.
- Operators have 30 days to complete full CDD after the threshold is met. During this time no withdrawals may be made, although the customer may be allowed to continue to deposit funds and/or gamble, subject always to any unusual activity which (if suspicious) may trigger the requirement to file a suspicious transaction report (STR) with the FIAU. This was not considered contrary to consumer protection law on the basis that the checks may be concluded sooner. Niki observes that if operators make it clear in their terms and conditions when checks are likely to be carried out, what documents may be required and how to submit them (as operators are required to do under the LCCP in the UK), this will go some way to addressing consumer protection concerns. Ultimately, consumer protection laws are intended to prevent operators from arbitrarily applying AML checks as a means of refusing or delaying withdrawal requests, and as long as AML checks are being properly applied, for a legitimate purpose, the risk of offending consumer protection law is minimised.
- Previously the MLRO was required to be based in Malta or where the operations were being directed or records kept. This is no longer a requirement, but the MLRO must have access to the necessary information and records at all times.
- Operators must have a detailed Customer Acceptance Policy which outlines how relevant staff must conduct CDD and EDD, and when.
- The FIAU expects to issue Risk Evaluation Questionnaires to operators annually but any operators that the FIAU considers to be higher risk may receive specific targeted questionnaires from the FIAU more frequently.
The forum also included insightful talks on due diligence on third parties including affiliates by Martina Scalpello, Senior Compliance Manager at ARQ, GDPR one year on by Matina Massa, Managing Partner at M2 Business Frameworks and Best Practices in Reporting Suspicious activity by Martin Crowe, MLRO and UK Compliance Manager at Casumo.
Manfred Galdes, Chairman and Partner at ARQ was the perfect host as always, and we look forward to the next event which is provisionally set for 30 October 2019 and the expectation is that the Gambling Commission of Great Britain will be in attendance.