Anti–money laundering under the Gambling Regulation Act 2024
Introduction
The Gambling Regulation Act 2024 is the most significant reform of gambling legislation in Ireland since the formation of the State. For an overall summary and discussion of the key aspects of the Act, please see our earlier briefing (here). In this briefing we focus on the important issue of the anti-money-laundering and combatting terrorist-financing (“AML”) regime applicable to providers of gambling services (“providers”).
The importance of AML was recently brought into sharp relief by enforcement action and record fines imposed by the UK’s Gambling Commission against operators in the UK (see here for further details). This follows on from the European Commission’s 2022 Supranational Risk Assessment Report which classified the gambling sector as generally “high risk” and online gambling as particularly high risk in respect of AML.
Current AML Regime
The AML regime in Ireland is primarily set out in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) and applies to entities that come within the definition of a “designated person”. Since 2018, most providers have been prescribed by the relevant Minister as “designated persons” with the consequence that providers should already have AML policies and procedures in place. A brief summary of the principal requirements of the current AML regime is set out below.
Risk-based approach: Recognising the potential complexity of AML compliance and with a view to having proportionate controls, the overriding philosophy that providers need to adopt is to put risk-based assessment at the centre of compliance efforts. This needs to be reflected in all AML-related decisions, including in the more particular AML requirements discussed below.
Business Risk Assessment: Each provider must complete and maintain an up-to-date business risk assessment which identifies and assesses the AML risks involved in carrying out its business activities. The business risk assessment must have regard to Ireland’s national risk assessment and relevant guidance (available here). In addition the assessment must take into account certain risk factors including:
- the types of customer which the provider deals with, including the countries and geographical areas in which they are located;
- the products and services provided, the types of transactions carried out and the delivery channels used by the provider.
The business risk assessment must be approved by the provider’s senior management.
Customer Risk Assessment: Once the business risk assessment has been carried out, each provider must then complete and maintain and up-to-date customer risk assessment for each of its customers which identifies and assesses the AML risks which each customer of the provider poses to the provider’s business. Considerations in carrying out such customer risk assessments would include the outcome of the business risk assessment, the type of customer, the geographical location of the customer and the channels for carrying out the service for the customer.
The customer risk assessments must also be approved by the provider’s senior management.
Customer Due Diligence: The outcome of the above business risk assessment and customer risk assessment must be used by providers to determine the extent of measures that are required to be taken for customer due diligence (“CDD”) purposes. More generally, a provider must assess each client to determine the appropriate level of diligence to apply based on the risk that has been assessed for that customer. Certain customers, such as politically exposed persons or customers established or residing in a high-risk third country, require enhanced due diligence while other, more vanilla, relationships may justify simplified diligence. CDD extends beyond simply collecting documentation when on-boarding new customers. Ongoing monitoring of customers and transactions is required and documentation must be kept up-to-date. If dealing with certain types of customer, additional enquiry obligations in relation to the beneficial ownership structure also arise.
Policies and Procedures: Providers must ensure that their AML policies reflect the granular requirements of the legislation and procedures must be meaningful and aligned with policies. Policies and procedures must represent more than just a paper exercise; they must be adhered to in practice too.
Suspicious Transaction Reporting: Where a provider knows, suspects, or has reasonable grounds to suspect that a customer has been or is engaged in money laundering or terrorist financing, that provider has an obligation to make a report, known as a ‘suspicious transaction report’ (“STR”), to both the Financial Intelligence Unit of Ireland and the Revenue Commissioners. The STR should be made as soon as practicable upon obtaining the knowledge or suspicion or the reasonable grounds to suspect.
It is important for providers to ensure that there is no ‘tipping off’ to the person in question that a STR has been or is going to be made about them. It is equally important to ensure therefore that any personnel do not discuss any STRs or suspicions with anyone except those required to be informed about the knowledge/suspicion/STR for the purposes of submitting the STR, such as the Money Laundering Reporting Officer or Compliance Officer.
Competent Authority: The current competent authority, insofar as the supervision of providers is concerned, is the Department of Justice. In that role, the Department is tasked with taking all measures reasonably required for the purpose of ensuring compliance by providers with AML requirements.
Proposed Changes to the AML Regime
While the Act does not propose an overhaul of the AML regime, it provides for some important changes that providers should be aware of.
Competent Authority: The new Gambling Regulatory Authority of Ireland (the “Authority”) will become the competent authority for AML purposes in respect of providers, replacing the Department of Justice. It will be important for providers to ensure that they understand and become familiar with the Authority’s approach and expectations in relation to AML compliance.
Licensing Regime: Current AML legislation requires a person who effectively directs a private members’ club at which gambling activities are carried on to register with the relevant Minister and to hold a certificate of fitness. This regime is being repealed and effectively replaced by the new licensing regime provided for in the Act. Historic failures to comply with the older regime will, however, remain relevant. For example, part of the information required to be submitted when applying for a gambling licence will be confirmation of whether the applicant (or a related person) was ever refused a certificate of fitness, convicted of a relevant offence (which includes offences under AML legislation) or is the subject of proceedings in respect of a relevant offence. For information on the new licensing regime generally, please see our earlier briefing (here).
Designated Person: Under the current regime the definition of “designated person” specifically captures “a casino” or “a person who effectively directs a private members’ club at which gambling activities are carried on”. Those categories are being replaced by the more general concept of a provider of “gambling services”1 as defined in the EU Fourth Money Laundering Directive2 (subject to limited exceptions for certain poker games, gaming machine games, amusement machine games and lotteries contemplated by the Act). Consequently, providers of gambling services that currently operate on the basis that they are not a “designated person” will need to carefully re-examine the scope of their activities by reference to the amended legislation.
Similar Obligations: The Act includes a number of measures which may overlap with AML obligations. Providers should consider these carefully in the context of their AML policies and procedures to ensure they have a coherent and effective framework in place. These include:
- Suspicious Gambling: where the provider becomes aware of a “suspicious gambling pattern” it must cease accepting payments; notify customers attempting to make relevant payments of such refusal in writing; notify the Authority as soon as possible; inform a relevant Superintendent of the Garda Síochána (Irish police); and refuse to pay out any winnings until permitted by the Authority to do so. This obligation would overlap with existing “suspicious transaction reporting” requirements discussed above.
- Customer Information: licensed providers of remote gambling in particular will be required to maintain a “register of account-holders”, which must include specified information in relation to each customer/account-holder (e.g. their name, address and date of birth). This obligation would overlap with a provider’s existing obligations in relation to Customer Due Diligence.
Comment
Providers of gambling services in Ireland will need to ensure that they are fully aware of the changes being brought in by the Act. While the amendments contemplated by the Act to AML obligations are not necessarily extensive, they are important. The need to consider those changes should also serve as a useful prompt to ensure that providers are fully compliant with AML requirements. Considering the introduction of a new Authority, the classification of the industry as high risk by European Commission reports and the recent record fines imposed by the UK regulator, there should be no doubt as to the value of ensuring compliance.
Finally, while the Gambling Regulation Act 2024 has been fully enacted it will not come into force until it has been legally commenced by a Ministerial order. The time-frame for commencement is not currently clear but it is not likely to be imminent, particularly given the work that is ongoing to fully develop the new Authority and the likely change of Minister in an anticipated general election before the end of 2024. This lead-in period should provide an excellent (final) opportunity for providers of gambling services to ensure they are fully compliant with their AML requirements.
- That definition reads: “‘gambling services’ means a service which involves wagering a stake with monetary value in games of chance, including those with an element of skill such as lotteries, casino games, poker games and betting transactions that are provided at a physical location, or by any means at a distance, by electronic means or any other technology for facilitating communication, and at the individual request of a recipient of services”.
- Directive (EU) 2015/849 (often also referred to as “4AMLD”).
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below