The Financial Intelligence Analysis Unit in collaboration with the Malta Gaming Authority has published a revised version of the Implementing Procedures Part II for the Remote Gaming sector.
Rendered necessary to the address amendments for the Prevention of Money Laundering and Funding of Terrosim Regulations, Implementing Procedures Part I, and reflecting realities that the FIAU and MGA officers have been encountering, the new procedure looks to focus on certain aspects of the PMLFTR and to ensure that they are understood and interpreted consistently by licensees.
As part of the new procedure, all licensees are required to carry out a business risk assessment to identify the ML/FT risks that they are exposed to and ensure that the measures, policies, controls and procedures adopted are ‘sufficiently robust’ to prevent and mitigate the same.
The procedure reads: “The business risk assessment has to be documented and approved by the board of directors (or equivalent) of the licensee, and made available to the FIAU and/or to the MGA upon request.
“The document itself identifies the document version, the date of the latest revision, and the date when the document was last approved by the board of directors.
“Licensees are expected to revise their business risk assessment whenever there are changes to the environment within which they are operating and within their business structures/activities. Thus, situations such as a sidening of the customer-base or the addition of games and payment methods which present a different risk profile from those already offered should lead to a revision of the business risk assessment.
“The same applies when the licensee changes its structure or undertakes major operational changes. In the absence of any of the above, licensees have to assess their business risk assessment at least once a year, to evaluate whether any changes thereto are necessary.
“Licensees may engage external consultants to assist them in the drawing up and the revision of their business risk assessments. However, it will be necessary for any report, findings and conclusions to be adopted by the licensee who retains responsibility to ensure it complies with its obligation to carry out a business risk assessment.”
The procedure notes that the risk factors specific to the remote gaming sector vary in accordance with the type of customer. The assessment of the risk posed by a natural person is, according to the FIAU, generally based on the person’s economic activity and/or source of wealth.
It reads: “A customer having a single source of regular income will pose a lesser risk of ML/FT than a customer who has multiple sources of income or irregular income streams.”
Moreover, the FIAU and MGA have split the risk factors specific to the remote gaming industry into three sectors; product, service, and transaction risk; interface risk, and geographical risk.
Under Product, Service, and Transaction some risks are ‘inherently riskier’ than others and are more attractive to criminals, such as gaming products or services that allow the customer to influence the outcome of a game.
Funding methods, including cash and other similar or anonymous payment methods that do not leave an audit trail whilst allowing the customer to operate with a degree of ‘complete anonymity’, such as pre-paid cards or virtual financial assets, are considered high risk of ML/FT and should be treated as high risk factors.
The Interface Risk, according to the FIAU and MGA, are the channels through which a licensee establishes a business relationship through which transactions are carried out can have a bearing on the risk profile of a business relationship or a transaction.
The procedure reads: “Channels that favour anonymity increase the risk of ML/FT if no measures are taken to address the risk. While situations where interaction with the customer takes place on a non face-to-face basis no longer lead to the relationship being considered as automatically high risk, interacting in this manner is still to be considered as a high risk factor for risk assessment purposes unless the licensee adopts technological measures and controls to address the heightened risk of identity fraud or impersonation present in these situations.”
The Geographical Risk is the risk posed to the licensee by the geographical location of the business/economic activity and the source of wealth/funds of the business relationship. In this section the nationality, residence and place of birth of a customer have to be taken into account, according to the procedure.
It reads: “Countries that have a weak AML/CFT (Money Laundering/Counter of Funder of Terrorism) system, countries known to suffer from a significant level of corruption, countries subject to international sanctions in connection with terrorism or the proliferation of weapons of mass destruction as well as countries which are known to have terrorist organisations operating within are to be considered as high risk.
“The opposite is also true and may therefore be considered as presenting a medium or low risk of ML/FT.”
The procedure also includes guidance on customer due diligence and clarification on the obligations of subject persons, specifically when the customer is not willing to provide the necessary information and documentation required as part of CDD.
Additionally the procedure further elaborates on risk factors which are to be taken into account by subject person, such as the involvement of affiliates, the extension of the licensees’ own anti-money laundering and countering the funding of terrorism and the provision of targeted guidance on corporate licensees.