Gaming complianceWhat gaming operators need to know about compliance and AML in 2024 and beyond

The repercussions of weak compliance can be severe for gaming operators. It not only increases the risk of financial crimes like terror funding but can also result in significant fines and penalties from regulators.

It is essential that businesses use the full range of tools at their disposal such as rigorous identity checks, transaction monitoring and real-time analysis that can help identify suspicious activities fast. Leveraging the right third-party tools and integrating them seamlessly into tech ecosystems is a crucial part of the compliance puzzle.

Compliance in the gaming industry isn’t straightforward

In the dynamic gaming and gambling market, regulatory compliance and anti-money laundering (AML) measures are not just legal obligations. They’re the cornerstones of a safe and fair gaming industry, where there is a healthy level of mutual trust and integrity across the industry.

The gaming industry, made up of both physical casinos and online platforms, faces unique challenges when it comes to maintaining compliance. One of the biggest is preventing financial crimes such as money laundering since illicit funds can easily flow through a gaming ecosystem without stringent checks.

There is also an evolving body of regulation around identifying and protecting vulnerable players to prevent problematic play. For the range of stakeholders responsible for managing compliance, such as gaming operators, casino managers, and compliance officers, this creates a complex and constantly shifting risk landscape.

The gaming industry compliance landscape

According to data from the Gambling Commission (GC)^[1], close to 44% of UK adults engaged in gambling activities between March 2022 and March 2023. The way people play has changed significantly over the last five years, which presents new challenges for operators. The percentage of online players increased from just under 20% in 2019 to 26% in 2023. In-person play simultaneously decreased by close to 9% between 2019 and 2023.

Wagering gaming environments have long been a target for would-be money launderers. Criminals can play with ‘dirty’ cash and walk out with legitimate funds at in-person casinos or use multiple bank accounts to do the same thing through online casinos.

Gaming is also vulnerable to other financial crimes, such as fraud and identity theft, and unfair tactics such as bonus abuse. And with the greater anonymity online gaming can offer, it can be easier for bad players to hide what they’re doing. The only way for gaming operators to stay on top of criminals is to prioritise compliance and take a robust approach to managing it.

Navigating the gaming laws

To prevent the gaming industry from being abused by the wrong kinds of players, the UK government has introduced a number of regulations, including:

• The Proceeds of Crime Act 2002 (POCA)
• The Terrorism Act 2000
• The Gambling Act 2005
• The Gambling Commission’s money laundering and terrorist financing risk assessment

These regulations aim to prevent financial crimes and ensure a safe and fair gaming environment. The rise of online gaming has changed how many aspects can be interpreted and this shift has brought new compliance risks to the forefront. Away from direct financial crime, two of the most prominent risks are data protection and identity verification. Platforms need to make sure they can have reliable solutions to verify the identities and ages of players. And once they’ve captured this data, it’s essential they safely process and store it in a way that meets data protection regulations.

With new financial vulnerability checks being introduced in August 2024, it’s a smart time for operators to consider if their broad compliance processes and partners are still fit for purpose.

What are the UK regulations on gaming and gambling for companies?

Regulations differ depending on the jurisdiction companies operate in and the type of gameplay they offer. But the key regulations are:

Complying with gaming anti-money laundering (AML) regulations

Staying on top of sophisticated criminals is a constant challenge for those on the operating side of the gaming industry. In 2023, the industry incurred the third-highest amount of AML penalties as a sector, with £366m ($475m) being dished out in fines according to ComplyAdvantage. To prevent illegal play, and avoid hefty fines, it’s essential that operators and their compliance officers understand their role in AML and know your customer (KYC) processes.

Building a strong compliance framework

As mentioned, there are three main laws that gaming companies must comply with. The most important aspect of compliance is verifying customers’ identities through a KYC process before allowing them to open an account. Doing so prevents underage play and can help companies quickly spot red flags around fraud, money laundering and terrorist activity.

If an operator thinks a player is behaving suspiciously, they must carry out due diligence including an AML or CFT check. The GC recommends this due diligence should be triggered if a customer deposits or withdraws more than £1,700 (€2,000) in a single or series of linked transactions [[source]]. However, checks must be carried out at any amount if AML or CFT red flags are detected.

The basics of compliance

To make compliance a straightforward yet systematic process, the government recommends putting in place controls^[3] including:

• Having a nominated officer who is well known across the business so that staff can report any suspicious activity
• Putting compliance officers in place, if your operation is large or complex, to support your teams
• Regularly training managers and sharing information around money laundering risks
• Keeping employees up to date on AML best practice and their individual responsibilities
• Clearly publishing, and regularly updating, AML policies, processes and controls
• Building risk reduction measures into the way your business operates day-to-day
• Keeping clear records of transactions and customers’ information for a set period

There’s one core issue, however. While all these actions are essential and underpin a genuinely effective compliance strategy, they can put a heavy burden on smaller operators. Additionally, serious criminals understand how to avoid detection via basic controls – meaning organisations need the right knowledge, tools and partners to keep crime off their platforms.

How money laundering works in gaming

For operators to effectively prevent money laundering, it’s essential they understand how the process typically works in gaming.

In the simplest terms, criminals essentially take small losses in gaming environments to ‘clean’ (or legitimise) money they’ve obtained through illegal activities. In a physical casino, a criminal could convert £100 of dirty money into betting tokens or chips, lose a £5 bet and cash the rest of their tokens in. Now, they have £95 that can be traced back to a legitimate source. The same strategy can be employed in online casinos, too – and repeated by networks of launderers to clean thousands or millions of pounds pretty quickly.

Any platform can be vulnerable to money laundering and there are a number of common methods criminal networks use to launder large sums without detection. With smurfing, criminals take a large sum and divide it up into smaller amounts for laundering across multiple players or accounts. By cleaning lower sums of money through a network of unconnected players, criminals are aiming to avoid arousing operators’ suspicion.

Structuring is similar, in that it involves splitting dirty funds up. However, those engaging in structuring will specifically keep each account or player’s deposits just below the AML or Counter-Terrorism Financing (CTF) reporting threshold. In theory, this means accounts or players can be used to launder money multiple times if each deposit is below the suspicious threshold.

Real life cases and consequences

Money launderers can be audacious. Three Las Vegas gamblers are currently under investigation for their involvement in a $24m sports betting ring. The resorts they favoured are also in the spotlight for failing to prevent their actions – and fines of up to £231m ($300m)^[4] have been handed out to other operators that have violated the AML/CFT Act in the past.

In 2023, one leading UK operator was fined £19.2 million^[5] for weak player protection and AML controls – the biggest fine ever handed out by the GC. Its mistakes included not conducting checks on a new customer who bet over £20,000 in just 20 minutes, and repeatedly failing to verify funds’ legitimacy across many five-figure deposits.

While most cases of money laundering aren’t on this scale, and nor are the fines, even small cases must be taken very seriously. It’s estimated that money laundering costs the UK £100 billion every year, so operators must do everything they can to prevent it and fulfil their legal obligations.

Could data-backed tools hold the answer – and not just in the case of money laundering?

Using data as a protective mechanism

Problem play awareness

Financial crime is just one concern for operators. Another, which can be harder to detect and manage, is how to reduce harm caused by gamers who play unsustainably. Problem gaming can be devastating and lead to players spending far beyond their means to continue play. Thankfully, more people are becoming aware of the support that’s available to them. 47%^[6] of UK players know about or use measures such as self-exclusion – a 12% increase between 2015 and 2020. And 84% of those who used GAMSTOP’s^[7] self-exclusion tool felt safer and more in control of their gaming.

Public perception of gaming is not favourable, with just 29% of people believing it is fair and trustworthy. Figures are hard to accurately record, but around 2.2 million people in the UK^[8] are thought to be at-risk or active problem gamers. However, there’s also a strong sense that players should be protected but not overly restricted, with 68% of those surveyed by the GC believing people should have the right to play how they like.

How the right data keeps play fun

As shown in the case of the UK company, protective mechanisms don’t just catch criminals. The right frameworks can detect all kinds of warning signs, from problematic play to illegal activity, and reduce the manual burden of performing checks.

To make sure your compliance processes are genuinely effective, they need to be underpinned by robust data that can help you achieve a single customer view (SCV) of players. At its core, SCV means you use customers’ data to track their financial activity accurately – even if they have created multiple accounts to try and get around limits or thresholds. This holistic view is even more important in the online space, where it’s easier than ever for players to evade detection.

Working with a credit reference agency (CRA) like Experian gives you access to accurate, reliable and GDPR-compliant data that supports your due diligence work. Crucially, it doesn’t impact customer experience – allowing the majority of players to enjoy your services while protecting everyone from financial crimes.

Data will also be a crucial aspect of the GC’s new checks, which aim to protect financially vulnerable people from unsustainable play.

Piloting new vulnerability checks

Compliance isn’t just about preventing crime. Gaming operators also have a duty to monitor and support customers who are at risk of harm from excessive gaming. In the wake of the government’s 2023 Whitepaper, and Gambling Commission’s public consultation^[9], they must now do more to protect financially vulnerable customers from problematic play.

From 30 August 2024, all UK-licensed remote play operators will need to carry out more stringent financial vulnerability checks. If players deposit more than £500 in 30 days, operators will need to screen them for signs of financial stress such as CCJs or bankruptcies. From 28 February 2025, the threshold will reduce to £150.

The UK’s largest operators will also begin a pilot of enhanced vulnerability checks, which means checking those who deposit and spend over £2,000 in a rolling 90-day period. Both levels of checks are meant to be seamless and will use data CRAs hold, meaning there’s no additional burden on customers. But how can those on the operating side make the process similarly smooth?