The Gambling Regulation Bill is the most significant reform of gambling legislation in Ireland since the formation of the State. For an overall summary and discussion of the key aspects of the Bill, you can refer to our earlier briefing (here). In this briefing we focus on the important issue of the anti-money-laundering and combatting terrorist-financing (“AML”) regime applicable to providers of gambling services (“providers”).
The importance of AML was recently brought into sharp relief by enforcement action and record fines imposed by the UK’s Gambling Commission against operators in the UK (see here for further details). This follows on from a recent report by the European Commission flagging the gambling sector as generally “high risk” and online gambling as particularly high risk in respect of AML.
Current AML Regime
The AML regime in Ireland is primarily set out in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) and applies to entities that come within the definition of a “designated person”. Since 2018, most providers have been prescribed by the relevant Minister as “designated persons” with the consequence that providers should already have AML policies and procedures in place. A brief summary of the principal requirements of the current AML regime is set out below.
Risk-based approach: Recognising the potential complexity of AML compliance and with a view to having proportionate controls, the overriding philosophy that providers need to adopt is to put risk-based assessment at the centre of compliance efforts. This needs to be reflected in all AML-related decisions, including in the more particular AML requirements discussed below.
Business Risk Assessment: Each provider must complete and maintain an up-to-date business risk assessment which identifies and assesses the AML risks involved in carrying out its business activities. The business risk assessment must have regard to Ireland’s national risk assessment and relevant guidance (available here). In addition the assessment must take into account certain risk factors including:
The business risk assessment must be approved by the provider’s senior management.
Customer Risk Assessment: Once the business risk assessment has been carried out, each provider must then complete and maintain and up-to-date customer risk assessment for each of its customers which identifies and assesses the AML risks which each customer of the provider poses to the provider’s business. Considerations in carrying out such customer risk assessments would include the outcome of the business risk assessment, the type of customer, the geographical location of the customer and the channels for carrying out the service for the customer.
The customer risk assessments must also be approved by the provider’s senior management.
Customer Due Diligence: The outcome of the above business risk assessment and customer risk assessment must be used by providers to determine the extent of measures that are required to be taken for customer due diligence (“CDD”) purposes. More generally, a provider must assess each client to determine the appropriate level of diligence to apply based on the risk that has been assessed for that customer. Certain customers, such as politically exposed persons or customers established or residing in a high-risk third country, require enhanced due diligence while other, more vanilla, relationships may justify simplified diligence. CDD extends beyond simply collecting documentation when on-boarding new customers. Ongoing monitoring of customers and transactions is required and documentation must be kept up-to-date. If dealing with certain types of customer, additional enquiry obligations in relation to the beneficial ownership structure also arise.
Policies and Procedures: Providers must ensure that their AML policies reflect the granular requirements of the legislation and procedures must be meaningful and aligned with policies. Policies and procedures must represent more than just a paper exercise; they must be adhered to in practice too.
Suspicious Transaction Reporting: Where a provider knows, suspects, or has reasonable grounds to suspect that a customer has been or is engaged in money laundering or terrorist financing, that provider has an obligation to make a report, known as a ‘suspicious transaction report’ (“STR”), to both the Financial Intelligence Unit of Ireland and the Revenue Commissioners. The STR should be made as soon as practicable upon obtaining the knowledge or suspicion or the reasonable grounds to suspect.
It is important for providers to ensure that there is no ‘tipping off’ to the person in question that a STR has been or is going to be made about them. It is equally important to ensure therefore that any personnel do not discuss any STRs or suspicions with anyone except those required to be informed about the knowledge/suspicion/STR for the purposes of submitting the STR, such as the Money Laundering Reporting Officer or Compliance Officer.
Competent Authority: The current competent authority, insofar as the supervision of providers is concerned, is the Department of Justice. In that role, the Department is tasked with taking all measures reasonably required for the purpose of ensuring compliance by providers with AML requirements.
Proposed Changes to the AML Regime
While the Bill does not propose an overhaul of the AML regime, it provides for some important changes that providers should be aware of.
Competent Authority: The new Gambling Regulatory Authority of Ireland (the “Authority”) will become the competent authority for AML purposes in respect of providers, replacing the Department of Justice. It will be important for providers to ensure that they understand and become familiar with the Authority’s approach and expectations in relation to AML compliance.
Licensing Regime: Current AML legislation requires a person who effectively directs a private members’ club at which gambling activities are carried on to register with the relevant Minister and to hold a certificate of fitness. This regime is being repealed. While not explicitly stated by the Bill, it appears that the intention is for the existing requirements to be replaced by the new licensing regime contemplated by the Bill. For example, part of the information required to be submitted when applying for a gambling licence will be confirmation of whether the applicant (or a related person) was ever refused a certificate of fitness, convicted of a relevant offence (which includes offences under AML legislation) or is the subject of proceedings in respect of a relevant offence. For information on the new licensing regime generally, please see our earlier briefing (here).
Similar Obligations: The Bill includes a number of measures which may overlap with AML obligations. Providers should consider these carefully in the context of their AML policies and procedures to ensure they have a coherent and effective framework in place. These include:
Providers of gambling services in Ireland will need to ensure that they are fully aware of the changes being brought in by the Bill. While the amendments proposed by the Bill to AML obligations are not necessarily extensive, they are important. The need to consider those changes should also serve as a useful prompt to ensure that providers are fully compliant with AML requirements. Considering the introduction of a new Authority, the classification of the industry as high risk by European Commission reports and the recent record fines imposed by the UK regulator, there should be no doubt as to the value of ensuring compliance.