Compliance remains one of the most discussed topics among operators and is frequently highlighted in the news about the gambling industry. Rules differ across jurisdictions, however, compliance is based on common principles for all of them – make gambling fair and away from crime.
Thees Buschmann, Head of Compliance at Red Rhino Ltd., answered the most frequently asked questions about regulatory compliance, KYC requirements, and anti-money laundering framework in the gambling vertical.
How difficult is it for operators to remain compliant in the ever-changing world of gambling regulations?
Thanks for this question. Of course, it is always a challenge for an operator offering services in a multi-jurisdictional environment to comply with the multitude of compliance obligations – as there are, inter alia, regulatory & AML compliance, data protection compliance, player protection compliance, consumer protection compliance, just to name the most important ones – to abide by relating to all regulation and legislation applying or potentially applying to its operations. But still, the importance of compliance is to be understood: though a risk-based approach has been introduced by several regulators on a national and also by the European regulation on a supra-national level and so operators may have a certain level of flexibility how to apply a certain principle: relevant legislation is to be followed.
Incompliance may cause severe reputational harm to brands and operations, and also lead to fines, revoking of licenses, and further business obstacles.
How difficult it is: it takes diligence, dedication, expertise, and a good team to ensure that rules are not only implemented but also followed.
As the consequences are out of the hand of the operator, the question is not whether to comply, but how to get the tools in hand to comply.
What about AML regulations? Are they difficult for gambling companies to follow?
Well, the AML framework has been harmonized internationally, so that at least the principles and general understanding of mechanisms how to prevent ML and FT are globally recognized.
Therefore, AML regulations are to be understood as mandatory requirements, which are not to be discussed but have to be abided by and which follow a principle of coherency. As it is, unfortunately, not always the case for all further legislation imposed on licensed businesses in all jurisdictions.
Depending on the business one operates, an operator may face different challenges: for example, applying a principle of reliance may be a way to help strengthen compliance for an operator purely dedicated to the online world. While operators entertaining both online and land-based operations can apply this principle only to a limited extent.
In the end, it is to be understood that the internationally recognized mechanisms of the prevention of ML and FT are binding rules, which help to prevent financial crime and so aim to make the world a safer place.
The implementation of the risk-based approach by the FATF helped here a lot to make licensed businesses and subject persons of AML regulation come to reasonable decisions and help to bring business decisions, expertise, and experience, and also regulatory requirements under one roof.
Furthermore, it is to be understood that the lawmakers in most countries also would obtain stakeholder’s advice on how to tackle certain topics, by so-called consultation exercises, in which the stakeholders have the opportunity to have their say on the regulator’s or lawmaker’s view on certain requirements and how they should be fulfilled. This is to ensure that a practical view is implemented to the legislation.
Difficulties here should be understood as challenges, not obstacles.
In a word: AML compliance is a challenging, but necessary field. There is no way around it.
What is your opinion on adding Malta to a grey list by FATF? Why did this happen?
Personally, I am of the opinion that Malta could possibly have avoided the grey-listing, but things got stuck on the way: while some stakeholders were striving for a change, others were trying to keep things going the way, which had worked for them for a while. Once the government started taking visible action, it had lost a lot of credibility on the international level and the point-of-no-return had been passed already.
I have seen that Malta has made great steps in the last years, but the stakeholders of FATF seem to have already made up their mind. Here, it is to be considered that, according to the reports from the FATF committee, many countries have voted against a grey-listing.
Media coverage and the time of legal proceedings on the island may also have played a role. I think that the grey-listing was at least partly a political decision.
Was it deserved? Most probably not, at this stage, as I find. Can it be a chance? Definitely! I am believing that Malta when taking the right steps, can get back to the top and rise again as an even strengthened business jurisdiction, showing that it has not only met the average requirements but made its way back by applying reasonable, coherent, and functioning control mechanisms and so showing its fitness under the scrutiny of the world’s AML watchdog.
How will Malta’s presence in the grey list influence Maltese gambling companies?
In the first place, the grey-listing and its mandatory consequences apply to the government, not to businesses. Anyway, the impact may be severe, when stakeholders of the industry – speaking about suppliers, partners, regulators, and even clients – get to the impression that a business is residing in Malta to take advantage of allegedly lax control mechanisms. This not only bears an operational but also reputational risk.
The challenge of Malta-based companies will now be to show that they are doing better, applying international standards and showing that the framework of AML and CFT they apply is suitable to not only stand against the Maltese regulation and its existing controls but also meets international standards and considers principles, requirements and control mechanisms of the FATF and is kept not only up-to-date but future-oriented in an even more digitalized world.
My personal opinion: now, that the dices have been thrown, subject persons should rather try to understand the situation as a challenge and act proactively, rather than waiting for the lawmakers to hopefully take appropriate action.
What are the main difficulties in the KYC procedures required by various jurisdictions, especially the strictest ones, for example, the UK?
I prefer to speak of challenges here, rather than naming the fulfilling of regulatory requirements “difficulties”. Here, one of the major challenges is the diversity of requirements in a multi-jurisdictional environment, so that is it is hardly possible to design a one-which-suits-for-all KYC procedure.
Therefore, efficient, up-to-date training, smart process design, and customer channeling models are critical to reduce the operational burden of a diversity of KYC procedures.
Also, certain jurisdictions impose checks, which are inconvenient for the player – as well as for the operator having to ask these questions or otherwise obtain the required information. A good example of these is affordability checks, as required under, for instance, German and British legislation. From an operator’s perspective, it is very hard to find a way to ask players how much money they actually can afford to spend, without making feel them uncomfortable. Same for the player, who may simply be wanting to spend some leisure gaming time and does not want to disclose their entire life circumstances.
In the end, KYC requirements are nothing that one can discuss as the subject person of a certain regulation, but from the regulatory tools, a risk-based approach and consultation exercises can help a lot steering the fulfillment of KYC requirements into a direction where both business goals and regulatory requirements can be fulfilled.
How can operators increase compliance with safe gambling provisions without sacrificing their business goals?
Safer gambling provisions have to be enforced, even though the responsible gaming or player protection compliance is valued and understood differently in the several jurisdictions one may operate in.
So, I think it is critical to assess the regulatory aim of a domestic player protection regulation, consider all further areas, which may have a crossover with the aims and requirements – such as data protection, consumer protection, the principle of fairness, and also the player’s personal freedom. And then develop a smart way how to meet the regulatory aims, rather than flatly fulfilling requirements, but not working towards the aims of the regulation.
In terms of player protection, case management, and individual assessment, based on sound expertise, as well as a smart and flexible framework are the keys to ensure that business goals do not suffocate from compliance obligations.
How can a gambling business protect itself from fraud attempts?
Fraud is something that happens every day, especially in the online world, and no one can anticipate the numerous faces and typologies fraudulent behavior may have.
Simply abiding by regulation also does not give a sufficient level of protection to a business, and reporting requirements help fulfilling legal obligations but do not prevent a business from economic and reputational harm.
Therefore, it is absolutely necessary to have a team of well-trained and experienced experts who do not only understand legal terms but the business, its procedures, and its vulnerabilities and who keep up-to-date with the latest developments.
Still, it cannot be avoided that some fraudulent behavior is not detected before it has finally happened and some damage is done. In such cases it is critical, in my opinion, to act in a proper way and ensure that the damage done does not lead to further damage, for example, by employees who are fearing to be exposed for mistakes made.
An open culture, awareness, and guidance from seniors are, from my experience, here as important as training and diligence when dealing with a particular matter.
Should online casinos develop their own compliance program?
Definitely. The regulators never understand the business like the companies actually conducting this business do, and so it is of core importance to develop an own view on compliance obligations, ways to fulfill them, and also about the risks inherent in compliance violations as well as in the business itself.
All compliance management is also risk management, that’s why I believe that risk management strategies can help to develop a coherent approach and also can help to identify challenges a business is subject to.
Furthermore, it is to be considered that compliance obligations lie often across different fields of compliance. For instance, responsible gaming requirements can lead to AML reporting obligations and also incorporate aspects of privacy compliance, as well as further or specific domestic requirements in the jurisdictions one operates in or in which a certain case occurs.
To answer your question in a sentence: I strongly believe that every remote gaming operator should develop a comprehensive compliance and risk management program.
Read more: Best Canadian Online Casinos