SAML 2.0– Secure Login Standard for Single Sign-On
In 2005, the UK Parliament passed the Gambling Act 2005. This was the first legislation since the Gambling Act 1968 to assess the gambling industry and recommend legislative changes. Imagining how much gambling has evolved between the 20th and 21st centuries does not require too much creativity. In the nearly fifty-year time span between these two pieces of legislation, we have witnessed the rise of the home computer, the Internet, and mobile devices. We have watched globalisation dismantle once solid borders between nations. As you might have guessed, the changes to gambling law were notable and extensive.
For the sake of brevity and conciseness, changes to the Gambling Act 2005 were primarily focused on two areas: 1. social responsibility measures like the prevention of underage gambling, protecting against problem gambling, and treatment for addiction and 2. the “desire to impose regulation and order on the online sector”. Yet the process is not over. We should therefore start by taking a look at how legislation has evolved since the Gambling Act 2005 entered into force.
How has the regulatory framework around remote betting in the UK evolved
Over the past ten years, online bettors registering with gambling services have quadrupled. This amounted to a GBP 32.65 billion gross gambling yield (GGY) in 2022. Although the industry is currently witnessing a downward trend, with a reported 4 per cent decrease in the GGY that some attribute to intrusive regulatory practices by the UK Gambling Commission (UKGC), this sum is still exorbitant and requires strict oversight regulations.
As detailed as the Gambling Act 2005 was, operators licensed outside of the UK were still able to operate and offer their services for online gambling in the United Kingdom. As a result, remote gambling operators were subject to the regulations of the countries where they were licensed. Given the increased ease of money laundering and fraud with remote gambling and perhaps less stringent AML legislation, this is critical. This changed with amendments to the Act in 2014 that required all online gambling providers operating in the UK to hold a license from the UKGC and be subject to its regulations.
And where are we now? In light of recent criticism – including from UK lawmakers and a Member of Parliament – concerning the UKGC's invasive practices when it comes to ascertaining bettors' funds and monetary resources, the industry is eagerly awaiting new government-level recommendations on how to strike a balance between protection and a flourishing industry. These have been promised in the form of a white paper. Although there have been rumblings about this paper since late 2020, it seems very likely to be published in the second half of 2023 and includes many suggestions on social responsibility measures.
What will this mean for companies operating in the gambling and betting space? Preliminary reports suggest providers should brace themselves for more stringent minimum safety standards and consumer protection measures. They should also anticipate greater responsibility for detecting, monitoring and addressing problematic gambling behaviours.
A look at the UKGC crackdown on remote gambling
Since the start of 2023, the UKGC has fined online gambling providers over GBP 7.5 million for failures with respect to social responsibility and AML. Furthermore, in the past year alone, the UKGC has levied its highest fines ever on remote gambling providers who have flouted their responsibilities to ensure a secure and compliant environment. Let’s take a closer look at some of the highest fines.
Real-life examples of anti-money laundering and social responsibility failures in the online gambling industry
In the summer of 2022, an operator in the UK was fined a record £17 million by the regulator for failing to adequately check the origin of large deposits from unexpected sources and for being too lax in conducting customer due diligence. The operator was accused of failing to identify the origin of large sums of money deposited by a single bettor over several months and failing to assess the risks of a customer who had spent numerous nights gambling and deposited a large amount of money over an 18-month period.
Another operator was fined £9.4 million for inadequate anti-money laundering measures – including a lack of transparency in relation to the documentation required to verify the origin of funds and accepting verbal assurances from customers when verifying the origin of funds. The operator also failed to live up to social responsibility expectations by failing to block a client with multiple accounts who had concerns about the origin of his funds.
The highest fine imposed this year was on an operator that had to pay £6.1 million for failing to adequately consider the risks associated with certain types of customers – including those who were beneficiaries of a life insurance policy, who had links to high-risk countries, or who were politically exposed individuals or their family members or close associates. This operator was also accused of being slow to respond to customers who had already attracted attention for irregular gambling behaviour and extensive online gambling activity.
These examples range from minor failures – such as continuing to send promotional emails to players who have opted out – to more serious violations, such as failing to verify the source of funds for questionable deposits. The online gambling industry is subject to numerous regulations, and it is vital that operators ensure that their policies and practices are compliant in order to avoid costly fines and reputational damage.
How can remote gambling operators ensure compliance with AML and social responsibility regulations?
Estimates suggest that 24 million people in the UK participate in online gambling at least once a month. This amounts to 44 per cent of the entire adult population. On average, these adults spend between GBP 2.57/week or GBP 134/year. The UK Gambling Commission has issued licences to 2600 gambling companies. This is an expansive industry, which makes the potential fallout from any illegal or irresponsible practices immense. The legal framework is a reflection of these risks.
Gambling and Betting Regulations
All operators in the iGaming space must comply with four concrete regulations according to the UKCG. They are:
- The Proceeds of Crime Act 2002 (POCA), establishes several money laundering offences and elaborates on what an individual might do that would constitute them as guilty of these offences.
- The Terrorism Act 2000, which establishes several offences associated with engaging in or facilitating terrorism as well as raising or possessing funds for terrorist purposes. It also provides a list of organisations believed to be involved in terrorism.
- The Gambling Act 2005, which sets forth three objectives: i. prevent gambling from becoming a source of crime or disorder, ii. ensure that gambling is conducted in a fair and open way, and iii. protect children and other vulnerable persons from being harmed or exploited by gambling
- The UK Gambling Commission’s own money laundering and terrorist financing risk assessment, which is developed in partnership with industry experts, including law enforcement such as the National Crime Agency (NCA). The basis for the assessment is the framework of the Financial Action Task Force (FATF), the global money laundering and terrorist financing watchdog.
These are all lengthy legal documents. However, the UKGC assessment provides a relatively concise overview of how the authority expects remote gambling providers to conform with the law. A breakdown of the most important aspects that seem to be causing the most trouble for industry operators is given below.
- Customer due diligence
Know-your-customer (KYC) practices are essential for both AML and social responsibility practices. Not having a comprehensive picture of their customers – including their source of funds, risk of gambling addiction, age and occupation – complicates iGaming providers’ efforts to ensure these customers are not involved in illegal activities or posing a threat to themselves. The UKGC assessment recommends that operators perform risk-based customer due diligence and profiling upon initial contact with the customer, i.e. not one year later or only after hundreds of thousands of pounds have been deposited into remote gambling accounts. This should be achieved through thorough electronic verification and identification processes and monitoring should be ongoing. Enhanced due diligence should be performed if customers pose a higher risk. For example, if they are located in a high-risk third country, are known to have provided false or stolen identification, or there is a pattern of unusual transactions. - Record keeping
Compliance is not enough if operators fail to maintain robust records. This is primarily essential because records ensure a traceable audit trail that could aid potential financial investigations by law enforcement bodies. The UKGC also relies on such records when conducting compliance investigations. Good record keeping involves adequate and complete documentation of customer identities – including name, address, age, etc. – as well as any documentation acquired to assess potential risks, e.g. SOF documentation. The UKGC assessment also mentions supporting records, which could refer to any documents produced by the games themselves (data that denotes the frequency of play and amount spent, among other things) to provide a comprehensive view of customer account usage. These documents must all be retained for at least 5 years after the relationship with the customer has come to an end. - Suspicious activities and reporting
This is where things get a bit tricky. In the online gambling world, reporting suspicious activity could involve liaising with international authorities. The UKGC assessment clarifies in which cases operators are obliged to report questionable transactions or customers to the local authorities, in this case, the National Crime Agency (NCA), or when they have to get international Financial Intelligence Units (FIU) involved.
Even this abbreviated look at the obligations and regulations in the iGaming space verges on overwhelming. Maintaining compliance requires extensive knowledge of the legislation, exhaustive and rigorous processes, and the proper tools. This is where CIAM can help.
Compliance thanks to the use of a CIAM system
How can CIAM help iGaming operators meet their AML and social responsibility obligations?
During the onboarding process, when customers set up an online gambling account, a unique (digital) identity is created. This identity encompasses all of the data customers provide about themselves (name, age, postal address, email address etc.) and eventually all relevant accumulated data (e.g. SOF data, transaction amounts, gambling habits, etc.). At this point, a stringent identity verification process takes place to ensure the customer is who he or she claims to be. As mentioned above, this can be conducted electronically. All of this aggregated data ultimately amounts to a profile of the online bettor.
Customer profiles paint a clear picture of who is using an operator’s service. This type of KYC data not only ensures compliance with basic UKGC regulations, like age verification to mitigate underage gambling, but it also helps operators maintain a detailed overview of customer requests. Remember the case mentioned above of the operator who failed to remove a customer from a promotional email list? CIAM systems ensure these types of mistakes do not occur, thereby making it easier for operators to comply with their social responsibility obligations.
With Nevis, remote gambling and betting operators can ensure that KYC data is complete and up-to-date. This not only provides a seamless and personalised customer experience, but it also guarantees regulatory compliance.
Furthermore, using this arsenal of information, operators can also quickly determine if any activities raise red flags. For example, an injection involving a dramatically large amount of funds might suggest illegal activities. Prolonged gambling sessions could indicate the risk of addiction. However, what happens after suspicious activity has been detected?
Vigorous CIAM systems like Nevis’ use fraud detection and prevention tools as well as transaction confirmations to identify suspicious transactions and flag them for further review. They also rely on Behaviour User Analytics to monitor and analyse user behaviour to identify fraud patterns or unusual activity. Furthermore, a CIAM system ensures that this monitoring process is continuous and not simply performed during the login process.
Conclusion…
Although online gambling is associated with risks such as betting addiction and misappropriation of funds, there are also positive developments in the industry. Gambling operators are taking proactive measures to ensure that online betting customers use legally acquired funds to finance their betting habits. Regulators play an important role in implementing measures to protect users, while technology is leading the way in this change. If all stakeholders continue their efforts, the online gambling sector can flourish while protecting individual users' welfare and positively contributing to national and international security.
