Customer Due Diligence (CDD)

How to conduct Customer Risk Profiling in the Gaming Industry

Regulations and Guidance

As part of the regulated sector within the UK, those in the gambling sector classified as remote or non-remote operators, are required to meet their obligations within the Money Laundering Regulations 2017. One of these requirements is to assess the level of risk a client may represent to the business and apply appropriate due diligence to match that risk. 

The Gambling Commission, in its industry guidance for the prevention of money laundering and combating the financing of terrorism under section 6.2, also highlights the need for operators to perform risk profiling against its customers.  

Paragraph 6.2 from the Gambling Commission’s industry guidance for the prevention of money laundering and combating the financing of terrorism.

What does this mean practically?

Having a clear understanding of the inherent financial crime risk within the business is important. This is likely to be already done through a risk assessment process but when thinking about financial crime in the gambling sector the most prevalent risks are probably fraud or traditional money laundering. 

An example could look like:

A table of financial crime inherent risk ratings with levels for the gambling industry

Once the inherent financial crime risk is understood, it allows for better context of what risks the operator may be exposed to and subsequently what needs to be considered when assessing the risk of the customer. 

Consideration can then be made on the data points used which would initially be obtained through the registration process and any due diligence information collected. Whilst data points like country are still important, given that the key financial crime risk may be fraud, operators may wish to consider additional data points such as the email address, phone number or device to be included.

Now the data points have been established, in line with the inherent financial crime risks, an operator can consider how the scoring itself will work. Whilst you may think a complex risk profiling model is best, that may not be the case as it needs to be scalable, easily modifiable and explainable to the regulators.

Finally once the scoring is complete, ensuring you map the output to your due diligence process is the final step. This will enable an operator to offer a lower friction process for lower risk customers whilst still being able to identify higher risk customers allowing the application of enhanced due diligence. 

Dynamic Model

The profiling of an operator’s customers shouldn’t stop at onboarding though. In order to operate an effective customer risk profiling model which meets the regulatory requirements, mitigates the risk of financial crime and protects customers from harm from a responsible gambling perspective, operators should ensure it is dynamic. This means that rather than just using the data collected at onboarding to assess the customers risk, operators should use data collected from how the customer interacts with the product and also any additional due diligence obtained.  

Responsible Gambling

It is no surprise that some of the more recent fines coming from the Gambling Commission relate to operators failure to protect its customers from a responsible gambling perspective alongside failures to have appropriate controls to guard against money laundering.

In May the Gambling Commission published tighter measures to be implemented by operators, as part of their COVID-19 response, to protect their customers during lockdown. These measures include various points on assessing their clients:

  • Review thresholds and triggers for new customers to reflect the operator’s lack of knowledge of that individual’s play and spend patterns

  • Conduct affordability assessments for individuals picked up by existing or new thresholds and triggers which indicate consumers experiencing harm - limiting or blocking further play until those checks have been concluded and supporting evidence obtained, and;

  • Implement processes that ensure the continual monitoring of their customer base – identifying patterns of play, spend or behaviours have changed in recent weeks.

Responsible gambling has strong links to financial crime with various cases documented being linked to those who were using stolen funds to spend. This means that responsible gambling is an important risk factor to be included within any operator's customer risk profiling model alongside the traditional financial crime risks mentioned above. Data points for consideration could be methods of payment, deposits and behavioural patterns.

If operator’s continue to ineffectively implement custom risk assessment models, and choose to not include a responsible gambling aspect, we can only expect more fines to be issued in the near future for both responsible gambling and money laundering failures.


How to approach creating a new customer risk assessment model

Here are FINTRAIL and TruNarrative’s key takeaways when considering a customer risk profiling model:

  • Understand the inherent risk your customers represent to the business

  • Ensure you select the correct data points unique to your clients and product offering

  • Make sure the risk profiling is dynamic and doesn’t just stop once the customer is onboarded

  • Consider the inclusion of responsible gambling within your customer risk profiling 

  • Marry your due diligence process to your customer risk profiling

  • Take into consideration how you would implement your model using technology providers like TruNarrative to ensure if a players risk or behaviour changes, you get an instant alert and action

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

This article is also available via TruNarrative’s website.

How to use Compliance as an enabler in Digital Transformation

Digital transformation for onboarding is a hot topic at the moment, given that much of the world is currently living their life from their sofas and managing their day-to-day financial needs from home. Having worked on transformation projects before with traditional FI’s, alongside assisting various FinTechs in the creation of new digital offerings, we at FINTRAIL thought it would be a good opportunity to move the spotlight onto compliance, and fly the financial crime flag by discussing some of the common misconceptions.

 

Front end change is just the tip of the iceberg

The ‘tip of the iceberg’ cliche has never been more appropriate when it comes to describing common misconceptions towards digital transformation. The main message is that a good user experience isn’t solely dependent on a minimal field registration journey, and that there are other components that need to be considered which the customer can’t see. Getting these components implemented effectively are equally as important and the focal point is our good friend - ‘a risk-based approach’. Having a robust risk-based approach can be the key for a slick user experience and dictate your approach to CDD, custom screening and risk management, enabling you to target your controls on your highest risk areas.

Image of front end change is the tip of the iceberg. Registration depicted above water, while the rest of the compliance processes depicted underwater as the main body of the iceberg

Less is more

It would be logical to assume that the less information you collect from your customer the better, and that allowing a customer to sign up by just inserting an email and password will drive your Trustpilot reviews through the roof. Ignoring the fact that this probably doesn’t actually meet your ID&V requirements, we would like to suggest that less isn’t always more. By creating a shortened registration process you may well get more sign ups, but if you subsequently need to perform downstream due diligence to address gaps, you could be creating a poor user experience further down the line, perhaps even in a critical situation when dealing with a vulnerable customer whose account has been frozen and they need urgent access to funds.  We don’t necessarily mean your registration process should be 100 fields deep across 10 pages but there is certainly a happy medium. 


Business enabling Anti-Financial Crime (AFC)

A common misconception is that financial crime compliance can be the blocker when it comes to innovation in these projects. It probably comes as no surprise that we at FINTRAIL would offer a healthy challenge to those naysayers. 

So, you are 6 months into your digital transformation project, it’s all on JIRA (other platforms are available) or you have a lovely Gantt chart. You have lined up all your sprints and it suddenly occurs to you that you should speak to your compliance team. After 45 minutes debriefing your compliance team, they have a bunch of questions and recommendations before you can move the project forward, resulting in you putting a big red “Stuck” against it. While you may have translated this into a no, these recommendations do not necessarily mean no, and even if it is a no, is that really surprising considering you have only introduced them as stakeholders so late on? Obviously we are focusing on the negatives here to emphasise our point and the above is certainly not a reflection on most businesses’ these days.

Some of the most successful projects we have been part of are the ones where AFC stakeholders have been included as part of the journey rather than just at sign off. There is a new breed of financial crime professionals who want to be viewed as business enablers and able to offer a great user experience as much as the next product owner.

A RACI (responsible, accountable, consulted, informed) matrix is often used in project delivery to divvy up people’s roles. With that in mind your approach may have been previously to assign compliance a consulted duty, but we would encourage you to increase their involvement in order to reduce blockers downstream and increase compliant innovation.

RACI project management chart with Compliance/financial crime function moved from consulted to responsible/accountable

Being a Compliance Champion

Equally it is not just the business that needs to take ownership of transformation, it can also be the fincrime function itself. Embracing change has never been more important in a digital enabled world and as fincrime professionals we should be just as excited by these new developments. Whether it is the implementation of a new due diligence process or screening programme, don’t be afraid to rip up the policy and start again. There is no reason why the financial crime team cannot be the driver for change.

Build, Buy or Both?

Like the ‘tip of the iceberg’, ‘build or buy’ is also becoming a bit of a cliche. What we do know is that you will likely need to partner with some technology providers in order to achieve your future state goals. Equally, even if you partner with someone, there will be an element of building that goes hand in hand. There are a variety of great providers available with a range of capabilities but we would like to reposition the ‘build or buy’ question. No single provider will solve all of your needs, and equally, to build everything in house isn’t logical when there are specialist systems available. This potentially means that the ‘build or buy’ question is a goose chase and in fact an amalgamation of the two is the best approach to adopt. 

Takeaways

Here are our top takeaways to be a compliance champion when it comes to digital transformation:

  • User experience does not stop on the physical registration page; it continues throughout the customer lifecycle

  • Less is not always more when it comes to identification programmes

  • Treat your compliance/ fincrime team as business enablers, engaging them in discussions earlier

  • Answer your build, buy or both question

  • A risk-based approach marries itself perfectly with transformation projects

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch at: contact@fintrail.co.uk