Online operator Spreadex to pay £1.36million for AML and social responsibility failings

Categories: News

Just eight days after announcement of the record £17 million regulatory sanction incurred by Entain for AML and social responsibility failings, the Gambling Commission has today (25 August 2022) announced that, pursuant to a regulatory settlement, remote gambling business Spreadex Limited is to pay £1.36 million for similar types of failing.

Today’s announcement by the Commission reads as follows:

Gambling business Spreadex Limited is to pay £1.36 million after a Gambling Commission investigation revealed social responsibility and anti-money laundering failures.

The operator – which runs spreadex.com – will pay the money to socially responsible causes as part of a settlement with the Commission.

Leanne Oxley, Gambling Commission Director of Enforcement and Intelligence, said:

“Whilst it is disappointing to see anti-money laundering and social responsibility breaches occur despite our extensive published cases highlighting similar failures, we note the swift and robust action the Licensee took to bring itself back to compliance. We expect similar commitment and engagement across the gambling sector.”

Social responsibility failures included:

  • having financial alerts which were ineffective and allowed customers to lose significant amounts over a short period of time
  • placing an overreliance on financial alerts to identify customers at potential risk of experiencing harms
  • not sufficiently recording and evaluating its customer interactions
  • one customer was able to deposit £1.7 million and lose £500,000 during the course of a one month period – although customer interactions had taken place they had not been sufficiently evaluated, and did not include considering the effectiveness of restricting the account.

Anti-money laundering failures included:

  • a customer who met a £25,000 financial deposit alert had the alert for further review increased to £100,000 based on a self-declaration of income and an open-source check
  • a customer was able to deposit £365,000 and lose £284,000 over a period of 3 months without Source of Funds being sufficiently established
  • a customer was able to continue depositing after providing redacted bank statements in response to a request for evidence of Source of Funds.

Details of the failings of Spreadex Limited can be read in the public statement.

Worthy of particular note by other operators is that, as part of the ‘swift and robust action’ to which the Commission’s Director of Enforcement and Intelligence has referred was a decision by Spreadex to:

  • to self-suspend its casino activities for 5 months “to mitigate risk”,
  • provide an action plan immediately following the Compliance Assessment and
  • take effective action to expand and improve its compliance capacity.

The Commission’s Public Statement (that can be downloaded below) also sets out a number of ‘good practice’ measures, of which all UK licensed gambling operators should also take note. The full Public Statement reads as follows:

Spreadex Limited Public Statement

Key failings:

  • breach of licence condition 12.1.1 paragraphs 1, 2 and 3 – Prevention of Money Laundering and Terrorist Financing
  • failure to act in accordance with Ordinary Code Provision (OCP) 2.1.1 – Anti-Money Laundering (Casino)
  • failure to comply with Social Responsibility Code Provision 3.4.1 paragraph 1 and 2 – Customer Interaction.

Operators are expected to consider the issues outlined below and review their own practices to identify and implement improvements in respect of the management of customers’ accounts.

Introduction

Licensed gambling operators have a legal duty to ensure their gambling facilities are provided in compliance with the Gambling Act 2005 (opens in new tab) (the Act) and the conditions of their licence, and in accordance with the licensing objectives, which are to:

  • prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime
  • ensure that gambling is conducted in a fair, safe and open way
  • protect children and other vulnerable people from being harmed or exploited by gambling.

Spreadex Limited Executive summary

This investigation resulted in the commencement of a section 116 regulatory review of Spreadex Limited (Spreadex), Combined Remote Operating Licence number: 000-008835-R-104580-017. The Commission commenced its regulatory review on 2 June 2021, following concerns identified in a compliance assessment conducted in May 2021.

The regulatory review found failings in Spreadex’s procedures which were aimed at preventing Money Laundering (ML) and protecting vulnerable people.

Between January 2020 and May 2021 Spreadex breached its Licence Conditions and Codes of Practice (LCCP), specifically:

Taking into account remedial action taken by Spreadex and in line with our Statement of Principles for licensing and regulation, Spreadex will pay a total of £1,363,786 in lieu of a financial penalty.

Spreadex Limited Findings

The investigation and our subsequent regulatory review found:

  • failings in Spreadex’s implementation of anti-money laundering (AML) policies, procedures and controls
  • deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation.

Breach of paragraph 1 of licence condition 12.1.1

Licence condition 12.1.1(1) states, “Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.”.

The Commission found, and Spreadex acknowledged, that its Money Laundering and Terrorist Financing Risk Assessment (ML and TF RA) was not fully compliant with licence condition 12.1.1 (1). In particular:

  • it had not been reviewed and updated on an annual basis as required, and did not take into account and adequately consider information on the risks of ML and TF made available in Commission publications
  • it did not acknowledge and assess all the relevant customer, product and geographical risk factors.

Breach of paragraph 2 of licence condition 12.1.1

Licence condition 12.1.1(2) states “Following completion of and having regard to the risk assessment, and any review of the assessment, Licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”.

The Commission found, and Spreadex acknowledged, that it was not fully compliant with licence condition 12.1.1(2). In particular:

  • there were weaknesses and shortcomings in relation to the adequacy and maintenance of its AML policies, procedures and controls
  • certain customers were able to deposit large amounts of money without sufficient interaction being triggered, such as a Source of Funds (SOF) check.

As examples, the Commission’s concerns included:

  • ineffective Enhanced Customer Due Diligence (ECDD) triggers allowed customers to deposit large sums of money before the first AML review was undertaken
  • the level of information obtained and verified by the Licensee did not increase in line with customer ML risk levels. In one case, a customer who met a £25,000 financial deposit alert, had the alert for further review increased to £100,000 based on a self-declaration of income and an open-source check
  • over reliance on electronic verification checks without obtaining additional independent evidence from reliable sources.

Breach of paragraph 3 of licence condition 12.1.1

Licence condition 12.1.1(3) states, “Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”.

The Commission found, and Spreadex acknowledged, that its policies, procedures and controls were not fully compliant with licence condition 12.1.1(3). In particular, the Licensee:

  • failed to critically review SOF documentation and was over reliant on electronic checks
  • did not have in place sufficient staff to respond to financial triggers in a timely fashion and to adequately mitigate the risk.

As examples, the Commission’s concerns included:

  • a customer who was able to continue depositing after providing redacted bank statements in response to a request for evidence of SOF
  • a customer who was able to deposit £365,000 and lose £284,000 over a period of 3 months without SOF being sufficiently established.

The Commission’s review of the specific customers identified during the Compliance assessment found no evidence of criminal spend with the Licensee.

Failure to consider Ordinary Code Provision (OCP) 2.1.1 – Anti-money Laundering (Casino)1

The findings set out at 1 to 3 occurred, to an extent, because Spreadex had failed to sufficiently take into account the Commission’s AML guidance. OCP 2.1.1, states: “In order to help prevent activities related to money laundering and terrorist financing, licensees should act in accordance with the Commission’s guidance on anti-money laundering: The Prevention of Money Laundering and Combating the Financing of Terrorism – Guidance for remote and non-remote casinos.

Failure to comply with: Social Responsibility Code 3.4.12

Social Responsibility Code Practice (SRCP 3.4.1) at paragraphs 1 and 2 states “Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:

  • a. identifying customers who may be at risk of or experiencing harms associated with gambling
  • b. interacting with customers who may be at risk of or experiencing harms associated with gambling
  • c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.

2 Licensees must take into account the Commission’s guidance on customer interaction.”.

The Commission found, and Spreadex acknowledged, that its policies and processes were not fully compliant with SRCP 3.4.1 (1) and (2). In particular:

  • its financial alerts were ineffective and allowed customers to lose significant amounts over a short period of time
  • it placed an overreliance on financial alerts to identify customers at potential risk of experiencing harms
  • it did not sufficiently record and evaluate its customer interactions.

As an example, the Commission’s concerns included a customer who was able to deposit £1.7 million and lose £500,000 during the course of a one month period. Customer interactions had taken place but they had not been sufficiently evaluated, and did not include considering the effectiveness of restricting the account.

Spreadex Limited Regulatory Settlement

This regulatory settlement consists of:

  • £1,363,786 payment in lieu of a financial penalty, which will be directed towards socially responsible purposes
  • agreement to the publication of a statement of facts in relation to this case
  • payment towards the Commission’s costs of investigating the case of £7,831.00.

In considering an appropriate resolution to this investigation, the Commission had regard to the following aggravating and mitigating factors:

Aggravating factors

  • the serious nature of the breaches identified
  • the impact on the licensing objectives
  • that the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
  • the need to encourage compliance among other operators
  • the nature of the breaches may mean other customers were affected that the Commission has not reviewed.

Mitigating factors

  • Spreadex showed insight into the seriousness of the breaches and self-suspended its casino activities for 5 months to mitigate risk
  • Spreadex provided an action plan immediately following the Compliance Assessment and took effective action to expand and improve its compliance capacity
  • Spreadex and its senior managers cooperated with the Commission in a timely and transparent manner
  • Spreadex made an early offer of a regulatory settlement.

Good practice

Gambling operators should take account of failings identified in this investigation to ensure industry learning. Operators should consider the following questions:

  • do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
  • do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
  • do lessons learned from public statements flow into your policy and processes?
  • do you have a formalised process for analysing the effectiveness of customer interactions to ensure the types of interaction are effective?
  • do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact especially in terms of the level of detail provided?

1OCP do not have the status of licence conditions but set out good practice. Any departure from OCP provision by an operator may be considered by the Commission as part of a licence review.

2Compliance with an SRCP is a condition of the licence by virtue of section 82(1) of the Act.

Download article PDF: GC - Spreadex Limited Public Statement - 25.08.22