Clients are not just numbers...
..We value your business !

Understanding your business is KEY !

Committed to QUALITY

We are...

...Qualified Security Assessors (PCI DSS)
...Certified Information Security Auditors (CISA)
...Approved System/Compliance Auditors (MGA)
...Qualified ISO27001:2013 Lead Auditors

Responsive, Dependable ...

...Knowledgeable


Kyte Consultancy

A quick look at FIAU/MGA Consultation Document: “Application of Anti-Money Laundering and Countering the Funding of Terrorism obligations to the Remote Gaming sector”

The 4 AMLD is taking Anti-Money Laundering and Countering the Funding of Terrorism compliance to a new level for the Remote Gaming Sector.

 

This Directive builds on and is an update on the 3rd AML Directive which was implemented in the year 2005. Amongst other measures, Remote Gambling Operators are given a Subject Person status. This removes previous doubts about the application of these rules towards the Gaming Sector.

 

The FIAU/MGA Consultation paper is giving MGA Gaming License holders some guidance and requests industry feedback prior to the EU’s 4th AML Directive being transposed into national laws.

 

Let’s have brief look at the most important points of this consultation document.

 

ML/FT Customer Risk Assessment

 

Businesses must carry out an ML/FT Assessment to identify its vulnerabilities and risks of exposure to activity and transactions derived from Money Laundering and Funding of Terrorism.

 

The assessment is not a one-time task and the Customer Risk Assessment has to be revisited at least once yearly, together with derivative measures, policies, controls and procedures. Changes in business structures, products and/or services are to be assessed immediately. This process and its derivatives have to be recorded and be available for auditing.

 

Dynamic Customer Specific Risk Assessment

 

Businesses must maintain a continuous Risk Assessment of their customers based on on-going monitoring of the business relationship with the customer. The key word here is “Dynamic”. It’s not a simple set of rules and measures and then, you’re good to go. Rather, it’s an ongoing risk assessment of the customer’s profile and behaviour to ensure that suspicious changes are identified and assessed.

 

The use of advanced analytic and behavioural analysis tools needs to be considered as an automated solution to meet this expectation and we believe that this is the reason why the FIAU/MGA have specifically mentioned such tools.

 

High Risk relationships

 

Screening and monitoring for PEPs and individuals on Sanctions Lists using reputable databases must be introduced. Special focus on high risk customers and originating territories is to feature highly on your Customer Risk Assessment.

 

The new consultation paper goes beyond simply verifying customer details and requiring you to monitor the business relationship risk level constantly.  Companies need to keep themselves updated on Country Risk levels through reputable sources such as country assessment reports by the Financial Action Task Force which are available on their website.

 

CDD/EDD Measures

 

The triggering of CDD/EDD Measures for customers not previously risk-assessed is to start, at a minimum, once a threshold of €2000 in linked deposits or €150 for high risk payment methods is achieved. Before your customer has reached that level though, your customer risk assessment may also dictate an early kick-start of CDD/EDD for higher risk customers.

 

These thresholds are not tied to a specific timeframe. The Malta Remote Gaming Council is raising this point with the FIAU/MGA to suggest specific time frames which makes sense for the Gaming Industry as well as to achieve the aim of managing the risk of ML/FT in a risk based approach.

 

Looking back for the skeletons in the closet

 

It’s not only a matter of doing risk assessments on new customers from directive transposition day onwards. The consultation paper also tasks the Gaming Industry to have a look back on its already present customer base and carry out customer risk assessments on clients with whom there are established business relationships.

 

High Risk customers must be reviewed within 6 months from adoption of the directive and all other customers must have been risk assessed within 18 months with FIAU/MGA expecting this to be done the soonest possible. Inactivity of the customer does not exclude him/her from the risk assessment.

 

Suspicious Transaction Reports

 

Subject persons are obliged to report Suspicious Transactions to the FIAU when there is a suspicion of ML/FT, even when a Transaction has not actually happened. The obligation to file the STR report cannot be taken lightly.

 

Some standard ML/FT Red Flags are also included in the consultation document together with reminders that any customer suspected of ML/FT must not be tipped off, neither intentionally nor unintentionally. One must discuss actions taken by the Business in respect of a suspected customer’s account with the FIAU to get the necessary guidance. FIAU has the authority to ask for a postponement of a transaction or for continued intensive monitoring of the customer activity.

 

Jurisdictions

 

The consultation document also shows appreciation that Jurisdiction concerns may occur when business have different licences depending on their target markets. Guidance is provided that the filing of STRs should ideally be made to the Reporting entity that has Jurisdiction in the country from which the license to operate has been issued.  This means that Businesses must be knowledgeable in the ML/FT regulations and guidelines for the markets they operate and are licensed in.

 

Thus, for example, if the STR is to be filed by a business based in Malta which provides services to a customer on a UK Gambling Commission License, then the STR has to be filed with the UK National Crime Agency.

 

Getting expert help

 

FIAU/MGA are studying the possibility for subject persons to be able to outsource some ML/FT specific tasks to dedicated providers who would be able to provide industry players with AML/CFT related services such as implementing AML/CFT controls, policies, measures and procedures.

 

However, the document itself states that this matter has not been finalised yet so expect new updates on the subject.  In the meantime, Businesses must start to implement these requirements themselves.

 

Why should I care?

 

Whilst the consultation paper itself does not contain references to penalties we can see the EU 4th AML Directive dictate that the cost of non-compliance might imply:

  • Reputational Cost - Publication of name of Business and nature of breach
  • Potential License Revocation
  • Temporary ban on managerial persons from exercising managerial responsibilities  in an obliged entity
  • Administrative fines which can run into millions of Euros imposed on both companies as well as individual obliged persons.

Here at Kyte Consultants, we can help you improve in-house processes which make certain that you are equipped to comply with your statutory obligations. We can help you cultivate processes based on your kind of business model and risk scenario and ensure that there is continuity in the processes.

 

To find out more about the services we offer and how we can help you ensure you are being compliant with the necessary legalities, contact us today.

 

Further reading: FIAU / MGA Consultation Document, 4th AML Directive, FATF.

 

David Agius

Advisor for Regulatory Compliance

 

Kyte Consultancy