Spreadex Limited Findings
The investigation and our subsequent regulatory review found:
- failings in Spreadex’s implementation of anti-money laundering (AML) policies, procedures and controls
- deficiencies in its responsible gambling policies, procedures, controls and practices, including weaknesses in implementation.
Breach of paragraph 1 of licence condition 12.1.1
Licence condition 12.1.1(1) states, “Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.”.
The Commission found, and Spreadex acknowledged, that its Money Laundering and Terrorist Financing Risk Assessment (ML and TF RA) was not fully compliant with licence condition 12.1.1 (1). In particular:
- it had not been reviewed and updated on an annual basis as required, and did not take into account and adequately consider information on the risks of ML and TF made available in Commission publications
- it did not acknowledge and assess all the relevant customer, product and geographical risk factors.
Breach of paragraph 2 of licence condition 12.1.1
Licence condition 12.1.1(2) states “Following completion of and having regard to the risk assessment, and any review of the assessment, Licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.”.
The Commission found, and Spreadex acknowledged, that it was not fully compliant with licence condition 12.1.1(2). In particular:
- there were weaknesses and shortcomings in relation to the adequacy and maintenance of its AML policies, procedures and controls
- certain customers were able to deposit large amounts of money without sufficient interaction being triggered, such as a Source of Funds (SOF) check.
As examples, the Commission’s concerns included:
- ineffective Enhanced Customer Due Diligence (ECDD) triggers allowed customers to deposit large sums of money before the first AML review was undertaken
- the level of information obtained and verified by the Licensee did not increase in line with customer ML risk levels. In one case, a customer who met a £25,000 financial deposit alert, had the alert for further review increased to £100,000 based on a self-declaration of income and an open-source check
- over reliance on electronic verification checks without obtaining additional independent evidence from reliable sources.
Breach of paragraph 3 of licence condition 12.1.1
Licence condition 12.1.1(3) states, “Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”.
The Commission found, and Spreadex acknowledged, that its policies, procedures and controls were not fully compliant with licence condition 12.1.1(3). In particular, the Licensee:
- failed to critically review SOF documentation and was over reliant on electronic checks
- did not have in place sufficient staff to respond to financial triggers in a timely fashion and to adequately mitigate the risk.
As examples, the Commission’s concerns included:
- a customer who was able to continue depositing after providing redacted bank statements in response to a request for evidence of SOF
- a customer who was able to deposit £365,000 and lose £284,000 over a period of 3 months without SOF being sufficiently established.
The Commission’s review of the specific customers identified during the Compliance assessment found no evidence of criminal spend with the Licensee.
Failure to consider Ordinary Code Provision (OCP) 2.1.1 – Anti-money Laundering (Casino)1
The findings set out at 1 to 3 occurred, to an extent, because Spreadex had failed to sufficiently take into account the Commission’s AML guidance. OCP 2.1.1, states: “In order to help prevent activities related to money laundering and terrorist financing, licensees should act in accordance with the Commission’s guidance on anti-money laundering: The Prevention of Money Laundering and Combating the Financing of Terrorism – Guidance for remote and non-remote casinos.
Failure to comply with: Social Responsibility Code 3.4.12
Social Responsibility Code Practice (SRCP 3.4.1) at paragraphs 1 and 2 states “Licensees must interact with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must include:
- a. identifying customers who may be at risk of or experiencing harms associated with gambling
- b. interacting with customers who may be at risk of or experiencing harms associated with gambling
- c. understanding the impact of the interaction on the customer, and the effectiveness of the Licensee’s actions and approach.
2 Licensees must take into account the Commission’s guidance on customer interaction.”.
The Commission found, and Spreadex acknowledged, that its policies and processes were not fully compliant with SRCP 3.4.1 (1) and (2). In particular:
- its financial alerts were ineffective and allowed customers to lose significant amounts over a short period of time
- it placed an overreliance on financial alerts to identify customers at potential risk of experiencing harms
- it did not sufficiently record and evaluate its customer interactions.
As an example, the Commission’s concerns included a customer who was able to deposit £1.7 million and lose £500,000 during the course of a one month period. Customer interactions had taken place but they had not been sufficiently evaluated, and did not include considering the effectiveness of restricting the account.
Spreadex Limited Regulatory Settlement
This regulatory settlement consists of:
- £1,363,786 payment in lieu of a financial penalty, which will be directed towards socially responsible purposes
- agreement to the publication of a statement of facts in relation to this case
- payment towards the Commission’s costs of investigating the case of £7,831.00.
In considering an appropriate resolution to this investigation, the Commission had regard to the following aggravating and mitigating factors:
Aggravating factors
- the serious nature of the breaches identified
- the impact on the licensing objectives
- that the breach arose in circumstances that were similar to previous cases the Commission has dealt with which resulted in the publication of lessons to be learned for the wider industry
- the need to encourage compliance among other operators
- the nature of the breaches may mean other customers were affected that the Commission has not reviewed.
Mitigating factors
- Spreadex showed insight into the seriousness of the breaches and self-suspended its casino activities for 5 months to mitigate risk
- Spreadex provided an action plan immediately following the Compliance Assessment and took effective action to expand and improve its compliance capacity
- Spreadex and its senior managers cooperated with the Commission in a timely and transparent manner
- Spreadex made an early offer of a regulatory settlement.
Good practice
Gambling operators should take account of failings identified in this investigation to ensure industry learning. Operators should consider the following questions:
- do you have formal processes in place to measure the effectiveness of your AML and safer gambling policies and procedures, and are findings adequately recorded?
- do you efficiently record all compliance decisions and are you able to demonstrate to the Commission, on request, evidence of ongoing assessment, evaluation and improvement?
- do lessons learned from public statements flow into your policy and processes?
- do you have a formalised process for analysing the effectiveness of customer interactions to ensure the types of interaction are effective?
- do you log the types of behaviour which have triggered a customer interaction and keep sufficient records of interactions, along with decisions not to interact especially in terms of the level of detail provided?
1OCP do not have the status of licence conditions but set out good practice. Any departure from OCP provision by an operator may be considered by the Commission as part of a licence review.
2Compliance with an SRCP is a condition of the licence by virtue of section 82(1) of the Act.