KYC/AML Legislation: An Introduction

Questions and Answers

Which factor most directly determines the specific KYC/AML procedures an iGaming company must follow?

• The licenses the company holds and regional/local law requirements (correct)
• The company's annual revenue
• The iGaming operator's marketing budget
• The number of employees in the compliance department

What is the primary focus of the UK Gambling Commission (UKGC)?

• Consumer protection and industry integrity within the UK (correct)
• Supporting the growth of online gambling startups
• Promoting international collaboration in gambling regulation
• Maximizing tax revenue from gambling operations

What is a key characteristic of the Curacao Gaming Control Board (CGB) license?

• It is recognized in all highly regulated markets universally
• It imposes the highest tax rates in the iGaming industry
• It offers a single license covering all online gambling activities (correct)
• It requires operators to have a physical presence in Curacao

Why is it important to verify Source of Funds (SOF) and Source of Wealth (SOW) for high-value customers, according to the AML/KYC guidelines?

To prevent money laundering and other financial crimes (A)

According to the guide, what does the acronym 'STR' stand for, in the context of AML/KYC?

Suspicious Transaction Reporting (A)

Which statement is most accurate regarding iGaming operators in the EU and their compliance with EU AML directives?

EU AML directives require stringent measures for CDD, transaction monitoring, reporting, and record-keeping. (C)

Why are Politically Exposed Persons (PEPs) considered high risk in the context of AML/KYC?

They have a higher likelihood of being involved in money laundering, corruption, or bribery (C)

What does Enhanced Due Diligence (EDD) for PEPs specifically include?

Verifying Source of Wealth (SOW), obtaining senior management approval, and conducting ongoing monitoring (C)

Which of the following describes the purpose of Sanctions?

To pressure targets to change behaviour, deter undesirable activities, punish past actions, or protect national interests (D)

What is the primary concern related to data privacy in the iGaming industry?

Protecting personal information and giving individuals control over their data (C)

What is the cornerstone of EU data protection regulation?

General Data Protection Regulation (GDPR) (C)

What does a risk management framework provide for iGaming?

A structured approach to identify, assess, mitigate, and monitor risks (A)

Which of the following actions is part of 'Risk Mitigation' in the context of a risk management framework?

Implementing strategies to reduce the likelihood or impact of risks (B)

What is the first key step in relation to your tasks?

Identify the Risks (B)

In the context of KYC/AML, what does 'Procedural Errors' refer to?

Inconsistencies in applying KYC/AML procedures across teams (A)

What is the document's recommendation regarding seeking advice?

Employees should ask questions or seek support if unsure. (D)

What is the main issue regarding the pitfall 'Over-Sharing'?

Sharing more data than needed (D)

What is the recommendation regarding 'Collaboration'?

Work closely with partners, sharing expertise and participating in joint investigations when needed. (B)

What is the main focus of 'E-wallets' in the context of KYC/AML regulations?

Verifying identity, transaction history, and account ownership (B)

What is the recommendation regarding following escalation procedures?

Follow escalation procedures for complex or high-value cases and know key contacts at payment partners. (D)

Flashcards

iGaming Licenses and Jurisdictional Differences

Understanding license types and regulatory differences across countries.

Effect of iGaming Licenses on AML/KYC Legislation

How the license influences Anti-Money Laundering (AML) and Know Your Customer (KYC) obligations.

Explanation of FATF, FIU, and EU AMLD

Learning about key international and regional bodies shaping AML regulations.

Politically Exposed Persons (PEPs)

Identifying and managing risks associated with individuals in prominent public positions.

Sanctions and Implications for iGaming

Understanding sanctions and their impact on iGaming operations.

Data Privacy and Protection

How to handle personal data in compliance with global regulations.

Risk Management Framework

Our method for identifying, assessing, and reducing risks.

Risk Mitigation

Steps taken daily to lower risks.

Communication with Payment Partners

How we communicate effectively during investigations.

Communication when Requesting Evidence

Best practices for responding to evidence requests.

FATF Responsibilities

Sets global standards to combat money laundering and terrorist financing.

AML/KYC risk-based approach

Requires a risk-based approach based on player origin, transaction patterns, and payment method.

FIU definition

National centers for analyzing suspicious financial activity.

EU AMLD

A series of directives establishing AML/CFT benchmarks for EU member states.

PEPs are considered

High risk due to access to public funds, corruption.

Definition of Sanctions

Political or economic actions by governments on countries.

Sanctioning Body: United Nations

UN Security Council Consolidated List.

Key Principles of Data Privacy

Transparent, limited purposes, accurate, secure, and accountability.

Risk Management Framework

Structured approach to identify, assess, and lower risks.

Customer Screening

Check customers against sanctions lists.

Study Notes

Introduction to KYC/AML Legislation

• What is being discussed is strictly from a legal standpoint
• Procedures could vary dependent on specific licenses for regions, including compliance and local law
• Adherence to operational procedures & company guidelines is paramount
• Consult the Wiki knowledge base or a supervisor if unsure
• Upholding the law is everyone's responsibility
• Failure to do so risks penalties or prosecution

Overview of Topics

• Covers iGaming Licenses and Jurisdictional Differences to understand the variations in regulations across countries
• Discusses the Effect of iGaming Licenses on AML/KYC and Related Legislation
• Explains how held licenses influence Anti-Money Laundering (AML) and Know Your Customer (KYC) obligations
• Provides an Explanation of FATF, FIU, and EU AMLD in relation to international and regional bodies shaping AML regulations
• Focuses on Politically Exposed Persons (PEPs) by helping with identification and managing risks associated with them
• Describes Sanctions and their Implications for iGaming and explains how they affect operations
• Details how to handle personal data in Data Privacy and Protection in compliance with global regulations
• Outlines a Risk Management Framework for identifying, assessing, and mitigating risks
• Gives the reader Risk Mitigation tips with steps to reduce risks in daily tasks
• Discusses Communication with Payment Partners and how to communicate during investigations
• Teaches Communication with Partners when they Request Evidence and the best practices for responding to evidence requests

iGaming Licenses and Jurisdictional Differences

• Understanding regulatory frameworks, licensing, AML/KYC, and legislation is vital for compliance in the iGaming industry

UK Gambling Commission (UKGC)

• Covers the United Kingdom
• The UKGC license applies to operations within the UK
• It regulates all forms of gambling within the UK
• It is known for its consumer protection and industry integrity towards regulation

Main Differences (UKGC)

• Responsible gambling is emphasized (self-exclusion, deposit limits, age verification)
• There are strict advertising rules
• Operators must show financial stability
• High technical standards must be met for gaming software

AML/KYC (UKGC)

• High-value customers must verify Source of Funds (SOF) and Source of Wealth (SOW)
• Enhanced Due Diligence (EDD) is needed for high-risk customers, like PEPs
• Continuous transaction monitoring for suspicious activity is required
• Suspicious activity must be reported to the National Crime Agency (NCA)

Malta Gaming Authority (MGA)

• MGA licenses are recognised in many EU and some non-EU countries, but local regulations still apply
• All forms of gambling in Malta are regulated
• A well-established and respected jurisdiction

Main Differences (MGA)

• A tiered licensing system exists
• Player protection and responsible gambling are focused on
• Competitive tax rates are offered
• It aligns with EU directives

AML/KYC (MGA)

• A risk-based approach is necessary, taking into account player origin, transaction patterns, and payment method
• Standard Customer Due Diligence (CDD) procedures
• Obligation of Suspicious Transaction Reporting (STR) to the Financial Intelligence Analysis Unit (FIAU)
• Specific Customer Risk Assessment (CRA) thresholds are in place (€2000, €10,000, optional €15,000, €40,000, €100,000+) with increasing due diligence requirements at each stage

Swedish Gambling Authority (SGA/Spelinspektionen)

• Covers Sweden
• The SGA license applies to operations within Sweden
• Regulates all forms of gambling in Sweden with a consumer protection focus

Main Differences (SGA)

• All operators serving Swedish customers require a license
• Responsible gambling is emphasized (mandatory self-exclusion, deposit limits)
• Marketing and advertising have strict rules
• Data protection regulations are strong and aligned with GDPR

AML/KYC (SGA)

• Enhanced CDD is required for high-risk customers
• Continuous transaction monitoring
• Suspicious activity must be reported to the Swedish Financial Police

Curacao Gaming Control Board (CGB)

• Has a global reach, but acceptance varies per specific markets, base license
• A single all-encompassing license is available for all online gambling

Main Differences (CGB)

• The licensing process is simplified
• Lower tax rates
• Less stringent regulatory oversight compared to UKGC, MGA, or SGA
• Master license holders can issue sub-licenses

AML/KYC (CGB)

• Developing regulations with increasing compliance emphasis
• Basic CDD requirements, including identity verification
• Transaction monitoring is growing

Kahnawake Gaming Commission (KGC)

• An independent regulatory body operates within a First Nations reserve, Quebec, Canada
• Licensing is internationally recognised, but the legal context is unique
• One of the oldest and most established jurisdictions, licensing since 1999

Main Differences (KGC)

• Licensing involves background checks, system reviews, and financial audits
• Player protection (fair gaming, responsible gambling, dispute resolution) is prioritized
• Adherence to strict technical standards is required
• Considered cost-effective

AML/KYC (KGC)

• A risk-based approach is mandated
• CDD is required on all customers, plus EDD on high-risk customers, including PEPs
• Suspicious transactions must be reported to the Financial Intelligence Unit (FIU)

Russia

• Has a very restrictive approach to gambling
• Online casinos are generally illegal
• Limited legal gambling: online sports betting through licensed operators and state lotteries
• Clients are known to visit international websites since, as a platform for game providers, we are based outside of Russia and do not promote inside the country, aside from the sports betting website leon.ru

Tanzania

• Regulated by the Gaming Board of Tanzania (GBT)
• Licenses are issued for online casinos and sports betting
• Foreign companies can apply but may need a local presence
• Has strict AML/KYC requirements while promoting responsible gambling

Brazil

• Approved regulatory framework for sports betting and online gambling
• Licenses are issued by the Ministry of Finance
• Requires local presence (20% Brazilian ownership) and financial/technical requirements
• Emphasises responsible gambling and has advertising guidelines

Philippines

• Regulated by the Philippine Amusement and Gaming Corporation (PAGCOR) and the Cagayan Economic Zone Authority (CEZA)
• PAGCOR issues Offshore Gaming Licenses (POGOs) for operators serving players outside the Philippines
• Licensing has strict AML measures

Thailand

• Most forms of gambling are generally prohibited under the Gambling Act B.E.2478 (1935)
• Online gambling is largely illegal, though changes are being considered
• Thailand and the Philippines both have AML/KYC regulations and a wider focus on responsible gambling/data privacy
• Each country has its own regulatory landscape

Effect of iGaming Licenses on AML/KYC and Related Legislation

• AML/KYC requirements are set primarily by license
• Licenses often require the FATF recommendations to be followed
• Multiple licenses require the strictest rules to be followed
• EU jurisdictions must follow EU AML directives, while non-EU jurisdictions are often influenced by them
• Cooperation levels with Financial Intelligence Units (FIUs) vary
• Data retention rules are determined by the jurisdiction of the license

Explanation of FATF, FIU & EU AMLD

• Global standards for combating money laundering and terrorist financing
• The 40 Recommendations provide the comprehensive framework for AML/CFT regimes
• Key Recommendations: risk-based approach, Customer Due Diligence (CDD), suspicious transaction reporting, record-keeping, and international cooperation
• Highly relevant to iGaming given vulnerability to financial crime, so robust AML/CFT programs must be implemented

FIU Details

• They are national centres responsible for receiving, analysing, and sharing information about suspicious financial activity
• They receive Suspicious Transaction Reports (STRs) from financial institutions
• They analyse information to identify potential financial crimes and share it with law enforcement
• Cooperation with applicable FIUs is vital via STR submissions and responding to information requests

EU AMLD (EU Anti-Money Laundering Directives)

• Comprise a series of directives (6 in total) establishing comprehensive AML/CFT requirements for EU member states
• Key directives relevant to iGaming include the 4th AMLD (risk-based approach, enhanced CDD, expanded scope), 5th AMLD (enhanced transparency, stricter CDD for high-risk customers, improved FIU cooperation), and 6th AMLD (criminalisation of money laundering offences, common definitions)
• Have a significant impact on iGaming operators in the EU, and requires proper CDD transaction monitoring, reporting, and record-keeping

Connection to iGaming Vulnerabilities and Compliance Obligations

• The iGaming industry is prone to money laundering due to volume of money, potential for anonymity, and cross-border transactions

Crucial compliance obligations involve

• Implementing AML/CFT programs that align with FATF Recommendations and EU AMLDs
• Conducting CDD by verifying customer identity, assessing risk, and monitoring transactions
• Reporting suspicious activity by submitting STRs to the relevant FIU
• Cooperating with authorities in investigations
• Training staff on AML/CFT procedures
• All staff play a part in compliance by following said procedures

Politically Exposed Persons (PEPs)

• PEPs are those who hold prominent public functions, along with their family members and close associates
• Considered higher risk due to possible involvement in money laundering, corruption, and bribery

Categories of PEPs

• Foreign PEPs: Those holding prominent public roles in other countries
• Domestic PEPs: Those holding roles in the same country
• International Organizations PEPs: Senior figures in bodies like the UN or World Bank
• Family Members: Spouses, partners, children, parents, siblings
• Close Associates: Advisors, business partners, with joint beneficial ownership

Why PEPs are High Risk

• They often have access to public funds and influence

Regulatory Requirements for PEPs

• FATF Recommendations include identifying PEPs and applying Enhanced Due Diligence (EDD)
• EDD for PEPs includes verifying their Source of Wealth (SOW), obtaining senior management approval, and conducting ongoing monitoring
• EU AML Directives also incorporate FATF requirement
• Use PEP lists and databases (commercial, government, and public information) to screen customers

PEP Screening

• Challenges encountered include data quality, false positives, and difficulty discovering close associates

Enhanced Due Diligence (EDD) (For PEPs)

• Includes risk assessment, SOW verification, ongoing monitoring, and detailed documentation

De-risking and PEP Relationships

• Recognize that not all PEPs are involved in crime
• Employ a risk-based approach to PEP relationships, using proportionate EDD
• Avoid auto-excluding all PEPs, because it is discriminatory
• Staff should be trained in procedures for identifying PEPs, risk assessment, and EDD
• Be aware of the associated risks & the importance of screening

Sanctions in iGaming

• Sanctions are political and economic measures by governments or international bodies against individuals, entities, or countries
• Measures include asset freezes, trade restrictions, and travel bans

Purpose of Sanctions

• They pressure targets to change behaviour, deter undesirable activities, punish past actions, or protect national interests

Types of Sanctions

• Targeted: focus on specific individuals, entities, or groups
• Comprehensive: Directed at entire countries or regions
• Sectoral: Target specific sectors of an economy

Sanctions and iGaming Considerations

• Businesses are subject to sanctions regulations when handling financial transactions
• Customers from sanctioned regions or individuals on sanctions lists are possible
• Strict compliance reduces severe penalties
• Robust screenings are commonplace

Sanctioning Bodies and Lists

• United Nations (UN): UN Security Council Consolidated List (asset freezes, travel bans, arms embargoes)
• United States: Office of Foreign Assets Control (OFAC) and its Specially Designated Nationals and Blocked Persons (SDN) List and Sectoral Sanctions Identifications (SSI) List
• European Union (EU): EU Financial Sanctions Database
• Russia: Imposes countersanctions through government bodies including the President, Government, Ministry of Foreign Affairs, Federal Customs Service, Central Bank, and Rosfinmonitoring (FIU)
• Other bodies include the UK (OFSI), Australia (DFATC List), and Canada (CCAS List)

Sanctions Screening in iGaming

• Customer Screening: Check customers against sanctions lists at onboarding and ongoing (CRA)
• Transaction Screening: Check transactions for potential violations
• Payment Blocking: Stop transactions that breach sanctions
• Reporting: Report suspected violations to the authorities through the MLRO

Best Practices for Sanctions Compliance

• Conduct a risk assessment
• Implement a strong sanctions screening program
• Perform enhanced due diligence on high-risk customers
• Provide regular training to staff
• Continuously monitor transactions and customer activity
• Conduct regular audits
• Consult with legal experts
• Sanctions compliance is ongoing, in addition to regular audits and legal guidance to comply with global regulations

Data Privacy and Protection in iGaming

• Privacy is handling personal information responsibly, giving individuals control over their data.
• Protection is security from unauthorized access.
• Transparency, purpose limitation, data minimisation, accuracy, storage limitations, integrity/confidentiality, accountability

Relevance to iGaming Data Privacy

• Companies handle a lot of personal data, therefore, financial losses, reputational damage, and legal issues must be avoided
• Data Protection Regulation (GDPR): the cornerstone of EU data protection, giving individuals’ strong rights
• ePrivacy Directive (Cookie Law): Regulates the use of cookies, requiring informed consent
• 5th Anti-Money Laundering Directive (5AMLD): Includes data protection aspects for AML/CFT purposes

GDPR (EU Data Protection Regulations)

• Includes lawfulness, transparency, fairness, purposing limitation, data minimization, accuracy, and storage limitation

UK Data Privacy

• GDPR is mirrored from Brexit
• Supplements GDPR through the Data Protection Act 2018

Russia Data Privacy

• Federal Law No. 152-FZ "On Personal Data": Key aspects include storing Russian data citizen data on Russian servers, data obligations on security, and rules on cross-border
• Minimization, consent requirements, transfer, and the regulator

Other Jurisdictions

• LGPD (Brazil), POPIA (South Africa), Data Privacy Act (Philippines), Personal Regulations on Data Protections (Tanzania) are examples of similar laws
• Companies always consult legal experts from a compliance team
• Transparency is a must for ensuring a lawful basis
• Encryption is key
• Access control is vital
• Planning data breach responses

Data Privacy Considerations

• Data Subject Rights: Allow individuals rights like access, rectification, erasure, restriction of processing, data portability, and objection
• Data Transfers: Ensure safeguards for data transfers

Best Practices for Data Privacy

• Have a clear policy
• Practice data minimization
• Have a Data Protection Officer (DPO)
• Train employees
• Conduct regular training and audits

Data Privacy Consequences

• Significant fines, reputational damage, legal liabilities, and loss of customer trust

Risk Management Framework for iGaming

• A structured approach to understanding, assessing, mitigating, and monitoring risks
• The approach is systematic, to manage outcomes
• Provides potential industry trends within workshops and brainstorm sessions
• Evaluate all the potential impacts
• Implement responses to prevent risk
• Monitor mitigation

Risks and Likelihood of iGaming

• Potential legal, regulatory, reputational, operation, financial, etc.

Benefits of Framework

• Improved decision-making, enhanced efficiency, proactive identification, loss mitigation, regulatory compliance, and protection

Identification of Mitigation

• Categorize, document, and identify any risks

Monitoring and Risk Assessment

• Continuously monitor and update actions
• Assess the likelihood, prioritize, and examine the appetite

Strategies to Implement

• Monitor actions: avoidance, mitigation, transfer acceptance
• Employ preventive, detective, and corrective control

Risk Areas

• Financial: money laundering
• Operational: Human error and/or technology errors
• Regulatory: compliance and licensing
• Reputational: negative gambling
• Use frameworks

Risk Mitigation for The Team

• Use the framework to mitigate

To Breakdown

• Understand and identify what could go wrong/be improved
• Use previous knowledge
• Evaluate, implement, structure, and consider partners

Communication with Payment Partners

• Effective communication during a fraud, AML, and KYC investigation is vital
• Profession style can be followed

Key Principles for Clear Communication

• Standardized templates
• Privacy is a must
• Report everything
• Be timely

Details of Suspicious Activity

• Communicate properly

Data and Details

• Know data regulation
• Request and use key details like information on source, ID, and any verification

Jurisdictional Considerations of AML

• Understand jurisdiction procedures
• FIU Cooperation
• Details of Types of Partners: payment gateways for mobiles, credit and crypto processors, E-wallets, etc

Communicate with Key Payments

• Crucial for requests, and must be transparent in practices

Main Focus

• Build solid, professional, and collaborative practices

Potential Pitfalls

• Share information only as necessary
• Know data privacy
• Timeliness is a must
• Procedures maintain a need to be consistent

The Point of Regulation

• Proper handling increases success

Conslusion

• In summary, KYC/AML and data integrity is crucial throughout the team, especially with regulations and operations