Johanna Walsh, a White Collar Crime & Investigations Partner at Mishcon de Reya's Betting & Gaming Group, and Mellissa Curzon-Berners, an Associate, examine how Isle of Man operators might be deemed to have taken the ‘reasonable measures’ as demanded in the Gambling Code 2019.
Online gambling operators in the Isle of Man will now be familiar with the Gambling (Anti-Money Laundering and Countering the Financing of Terrorism) Code 2019 (‘the 2019 Code’) which entered into force on 1 June 2019. It replaced the 2013 Code and is designed to bring anti-money laundering legislation in line with the Financial Action Task Force’s Recommendations for the Isle of Man.
Failure to comply with the requirements of the 2019 Code is a criminal offence. However, it is a defence for a person to show that they took all reasonable measures to avoid committing the offence. Guidance as to what might constitute "reasonable measures" is not available but with the increased emphasis on senior management approval and risk assessments it is likely that operators who can demonstrate the right tone from the top and that risk assessments have been undertaken on an ongoing basis, and their findings implemented, will have a good foundation for demonstrating reasonable measures.
Risk-Based Approach: Lessons learned from the failings of UK operators
Evaluation of risk should inform all aspects of an operator's approach to its anti-money laundering obligations. Under the 2019 Code, operators must undertake a business risk assessments; a technology risk assessment and a customer risk assessment. Respondents to the GSC's consultation on the 2019 Code indicated that they would benefit from additional guidance on risk assessments.
In the UK, the risk-based approach lies at the heart of the Money Laundering Regulations 2017, in force since June 2017. Casino operators must undertake a three-stage risk assessment process to identify and assess the money laundering risks within their businesses, devise policies, procedures and controls and direct AML efforts where they are most needed. Preparing a risk assessment is not a one-off exercise and the UK Gambling Commission ("UKGC") expects operators to keep their processes and policies under review. Operators that cannot produce and justify their risk-assessment will be given short shrift by the UKGC, particularly if things have gone wrong.
The UKGC has conducted multiple investigations into AML failings in the remote casino sector. On the basis of these investigations it has identified a number of common failures in risk assessments. Manx operators should take note of these failings and apply the lessons learned to their obligations under the 2019 Code. In particular, they should:
- Conduct appropriate assessments of ongoing and emerging risks of money laundering and terrorist financing and ensure that they implement policies, procedures and controls which effectively manage the identified risks;
- Ensure that their CDD/EDD and ongoing monitoring of customers has a sufficient focus on any business and technology risks as well as being focused on the individual risks presented by the particular customer;
- Address the need for focused customer risk assessments by implementing internal controls and monitoring systems tailored to the size and complexity of their business; and
- Properly document all risk assessments undertaken and significant decisions made so that they can demonstrate to the GSC that these have been undertaken and kept under review.
The tone from the top
The requirement in the Code 2019 for senior management approval of risk assessment procedures and controls reflects the importance of having a culture of compliance throughout the company. In the course of its investigations, the UKGC has criticised the actions of senior management at some of the operators that it has investigated. For example, in its reported findings into a large operator, the UKGC criticised the senior management for failing to mitigate “significant operational risk that due diligence systems were failing and that its anti-money laundering and social responsibility teams were not sufficiently resourced.” The UKGC has also taken action against those in senior management positions. Operators should work to implement a culture of compliance by sending a clear message that AML failings will not be tolerated; by committing to and supporting a risk-based approach, by engaging fully and meaningfully in the preparation of risk assessments and policies and by ensuring that legal and compliance functions are adequately resourced.