On 6 October 2020, elements of The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 came into force, amending the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the 2017 ML Regulations).
Of most relevance to gambling operators are the changes that clarify what an 'appropriate level of assurance' means in the context of electronic identification of customers. Changes to paragraph 19(b) of the 2017 ML Regulations make clear that when operators undertake electronic checks on customers, the identify check process needs to provide assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing.
The change is a reminder that whatever system of verification is used by operators, the system must be capable of not only verifying that the individual customer actually exists but also that person is who they claim to be (i.e. mitigating impersonation risk).
In undertaking the process of verifying that the customer exists, the Gambling Commission expects operators meet a standard level of confirmation before the verification can be relied on. The standard level of confirmation, in circumstances that do not give rise to concern or uncertainty, is:
- one match on an individual’s full name, date of birth and current address
- a second match on an individual’s full name and either their current address or their date of birth
The criteria for creating a pass in Commission criteria is a "2+2" or in other words, it has to match 2 names to 2 addresses OR 1 name to 1 address AND 1 name to 1 Date of Birth.
As set out above, once identity is verified, an operator needs to apply an additional check (or checks) to manage the risk of impersonation fraud. Of course no system of verification can conclusively prove that the customer is who they claim to be, but the Gambling Commission expects operators to be reasonably satisfied, following appropriate inquiry, that customers are who they claim to be.
The additional impersonation check may be undertaken as part of the electronic identification check by providers which offer that service - but need not be. Operators can use other methods which provide the appropriate level of assurance - for example:
- requiring the first deposit to be carried out through an account in the customer’s name with a UK or EU regulated credit institution or one from an equivalent jurisdiction;
- telephone contact with the customer prior to opening the account on a home or business number which has been independently verified (electronically or otherwise);
- internet sign-on following verification procedures where the customer uses security codes, tokens, and/or other passwords which have been set up during account opening and provided by mail (or secure delivery) to the named individual at an independently verified address;
- other card or account activation procedures;
- requiring the provision of copy documents certified by an appropriate person.
The Commission does not favour one form of verification over another. However, the starting point in designing an identity verification process is the operator's risk assessment. The Commission will expect operators to be able to demonstrate that in designing a process they have considered identity risk and that the chosen process effectively mitigates that risk. For customers who present a higher risk (such as high spenders) operators will be expected to apply enhanced due diligence measures that may include additional identity checks.