Managing AML risk within the online gaming industry

Businesses continuously face a balancing act between risk and reward. Online gaming operators are no exception to this.

The introduction of the European Union Directive 2015/849 of 20 May 2015 (“4^th AML Directive”) brought within its scope the online gaming industry. While anti-money laundering and combatting the funding of terrorism (“AML/CFT”) was not a new concept to the industry, the inclusion of online gaming in the definition of a relevant activity brought with it additional obligations and responsibilities.

While one may argue that these changes placed additional burdens on online gaming operators, it is also true to say that, in the medium to long term, it will provide an opportunity for the industry to improve its perception and image with various stakeholders, including financial institutions, with respect to exposure to criminality and money laundering.

The 4^th AML Directive brought with it a mandatory risk-based approach, whereby subject persons must draw up AML/CFT policies and procedures commensurate to their risk appetite and to the risks that they are exposed to. The 4^th AML Directive was transposed to Maltese law through the Prevention of Money Laundering and Funding of Terrorism Regulations (“PMLFTR”), with effect from 1^st January 2018.

The level of risk that an entity is willing to accept is referred to as the risk appetite. An entity’s risk appetite varies between different operators, both as a result of their attitude towards acceptance of risk, and also as a result of differences in business models. The mandated risk-based approach allows subject persons the flexibility to draw up policies and procedures in the light of the risk that they face. This is not a standard one-size-fits-all process. Operators are required to put into place a control framework that is commensurate with the inherent risk which their entity is exposed to. High levels of inherent risk require highly effective controls. A mismatch between inherent risk and controls will result in a high residual risk exposure that will expose the entity to elevated money laundering risk.  

While certain operators may welcome the flexibility that a risk-based approach brings about, others may struggle in applying a risk-based framework, both due to their unfamiliarity with risk management models and a lack of resources.

The definition of the entity’s risk appetite is generally the starting position. The risk appetite will strongly influence the entity’s business model and requires approval from the highest level (the board of directors).

The preparation of a business risk assessment (“BRA”) is a mandatory requirement emanating from the PMLFTR. The BRA must seek to assess the inherent risk (likelihood and impact) that an entity’s business model is exposed to. Inherent risk is the level of risk that an entity faces prior to taking into consideration the counter effect of the internal control framework. At a minimum, inherent risk should be assessed across the following areas:

• Client
• Product
• Interface
• Geographic location

Entities should take measures to document and draw up policies (including a Customer Acceptance Policy) and procedures, and employ quality assurance measures to ensure that these are being adhered to. Furthermore, appropriate systems and tools need to be deployed. These would typically consist of IT solutions that can (continuously) profile customer risk, and monitor customer activity and behavioural patterns, including the identification of high risk / suspicious activity. Systems are dependent on persons for effectiveness. Sufficient and adequately trained members of staff are a fundamental element of the entity’s control framework.

The EU and Malta have upped their game in combatting financial crime over the past years. Licensed B2C online gaming operators are expected to follow suit with respect to money laundering, and invest in the necessary systems and human resources to ensure that AML/CFT risk is adequately managed. The FIAU, early in 2019, requested subject persons to complete and submit a sectorial-based risk evaluation questionnaire. The responses received will be used by the FIAU and the MGA to understand operators’ risk exposure to AML/CFT, and for the local competent authorities to devise their national compliance plan. Meanwhile, subject persons are to expect an increase in AML/CFT focused compliance visits from the competent authority. Subsequently, extensive weaknesses identified are expected to be met with a severe retribution. 

Alan Craig is the advisory partner at Mazars in Malta, specialising in risk consulting, including internal audit, governance, forensic investigation & anti-money laundering compliance services.

This article first appeared in the EGR Malta Report 2019 on 25/06/2019.