22 November, 2022

Roundtable: KYC and AML compliance

Industry experts from VallettaPay, Neosurf, Sumsub and TransUnion discuss the importance and challenges of KYC and AML compliance.

David Zammit, a certified accountant by profession, is the Co-Founder and CEO of VallettaPay. Under his leadership and supervision, VallettaPay has become an established and well-respected financial institution within the payments world. David’s vast experience in the financial services industry and his renowned international networkare key attributes thatallow VallettaPay to offer an efficient and cost-effective service.

Andrea McGeachin has been working at a senior level in the gambling sector since 2007. She heads up the Neosurf Commercial team, which since 2016 has grown exponentially. She has helped fill the gap from the Ukash loss, as well as supporting a drive to use smarter services for clients through a strong APM solution. She was recently promoted to CEO.

Tony Petrov was appointed Chief Legal Officer at Sumsub in 2018. He is an experienced blockchain and fintech attorney with a focus on AML and KYC compliance, data privacy and international regulator relations. Tony holds a master’s degree in Transnational Business Law from the University of the Pacific, McGeorge School of Law in Sacramento, California. He also studied IT Law at the University of California, Berkeley. A certified CySEC AML Compliance Officer, Tony is the author and host of the “Sumsub for experts” YouTube channel.

Declan Raines is responsible for the strategic planning of TransUnion’s US Gaming business. TransUnion has serviced the global gaming industry, including the well-established UK market, for over 12 years.

WHAT ARE THE BIGGEST CHALLENGES WITHIN KYC AND AML?

David Zammit: Carrying out KYC checks might be a headache. However, knowing more about your customers can help you manage risk and keep out unwanted customers. KYC regulations are ever-expanding. To ensure KYC compliance, you’ll need to put adequate internal controls and monitoring systems in place to flag money laundering threats as they happen. You’ll also need to keep records of customer due diligence activity for at least five years after a transaction takes place or the relationship ends. It is best practice to document your KYC and AML policy, controls and procedures for preventing money laundering, with details of the key employees who are responsible for managing this.

Andrea McGeachin: The key challenge is keeping up to date with the differences between the payment regulators and gambling regulators across different jurisdictions. It means we just have to maintain masses of matrices, spreadsheets and protocols we have to build into the tech. Every single request and every single requirement is absolutely valid, and it’s important that we respond each time, mindful of the seriousness of AML. AML is about understanding the behaviour of your customer and knowing what to do, and how to report it, if we think something suspicious is happening. This applies across all levels of the sector, and affects operators and payments alike. When we take into account the volumes and speed with which we operate, the variability of the different applications and processes – together with the constant changes – presents real challenges.

Tony Petrov: Gaming companies must ensure bulletproof security and compliance, but if their KYC processes get too complex, they risk scaring customers away. The best solution to this challenge, in my view, is to separate verification into stages. As an example, you can employ minimal checks during onboarding and kick in more advanced ones when they truly matter – at the deposit and withdrawal stages, for instance. Another option could be using a quick document-free onboarding process, that only requires a customer's ID number and passing a quick liveness check. It is extremely user-friendly and also helpful for boosting user pass rates. Another KYC/AML challenge for global gaming platforms is complying with local regulations when expanding to new markets. To address this, I’d recommend outsourcing all compliance tasks to a trusted KYC/AML provider with global expertise that keeps track of shifting regulations. Scaling up globally is a key goal for most gambling businesses, so it’s better they focus on core targets and outsource KYC/AML to dedicated professionals.

Declan Raines: The biggest challenges are the rising frequency and rapidly evolving nature of fraud schemes. As people increasingly conduct their business and leisure online, they open themselves to greater risk from social engineering, phishing and spoofing attacks, to name a few examples. Developing seamless onboarding that merges a robust KYC process with a smooth player experience is a difficult balance to strike, especially during a time of exponential growth for the industry. This ensures consumers are the correct age; confirming their identity without creating too much friction and risking abandonment is a top priority.

DO COMPANIES REALISE JUST HOW IMPORTANT KYC AND AML ARE?

David Zammit: By carrying out customer due diligence and identity verification, the risk of unwittingly working with people or organisations involved in illegal activity or money laundering is minimised. This is particularly important for banks, financial organisations, gaming operators and other organisations that are frequently targeted by fraudsters. It is vital for companies to understand the importance of KYC and AML. As well as preventing misuse by criminals, KYC helps organisations to understand and manage potential risks during the customer onboarding process. In turn, this can help organisations appear more trustworthy to potential new customers.

Andrea McGeachin: Yes, every company I know takes it seriously. I don’t know a single company in our industry, whether they’re in the payments space or they’re actually the operator or suppliers, with an involvement in KYC service who do not take it seriously. Everybody wants to get it right but there are so many different areas where we face confusion. KYC and AML come into payments and payment regulators such as the Financial Conduct Authority and in the BFINEU directive for e-money, and then you have different rules and different countries. So when you go to the USA you have Finserv, for example. The AML rules are international, they’re not dictated individually by every single country in the world, but you will have different AML policy documents for different countries; at the end of the day the AML rules are international.

KYC on the other hand does become rather individual to the territory. There are some countries that are a little bit more antiquated than others, for example some countries insist on paper proof of address.

Tony Petrov: The short answer is: yes, they do. The online gambling industry is expected to grow over $81bn this year, up from $73.42bn in 2021. And as the industry gets bigger, regulations get tougher. This results in huge penalties imposed on businesses. Just this past August, the Gambling Commission issued a £17m ($19.3m) settlement with UK gambling firm Entain for enormous anti-money laundering failures. More recently, a £2.8m penalty was issued to another UK firm, Betfred, over gambling customer safety check failings and poor AML controls. So, as penalties get more severe, it’s no surprise that companies feel compelled to invest in their KYC infrastructure and AML compliance.

Declan Raines: Companies may realise the value of KYC and AML in protecting their customers and employees from fraud, but it’s clear from the increasing numbers of financial fraud-related stories in the news, particularly coming out of the pandemic, that renewed or increased focus is warranted or even necessary. There are a number of parallels between the gaming industry and financial services; for example, ensuring precision in confirming the identities of consumers is of the highest importance in both sectors. Where gaming differs is the speed in which this precision is required. Abandonment at onboarding is particularly high; ensuring a seamless but diligent onboarding process is extremely important when someone wants to register to place a bet on a sports event kicking off in a few minutes.

IS COMPLYING ENOUGH, OR CAN GAMING COMPANIES GO BEYOND?

David Zammit: Gaming companies are leaders in artificial intelligence (AI) and hence can do more. There is an increasing propensity to apply AI and machine learning (ML) to effectively manage financial crime risk. Gaming companies can use external information and data integration in their AML/CFT systems. This can assist in identifying higher-risk relationships, suspicious transactions and networks. According to the FATF, the adoption of innovative technology such as application programming interface, distributed ledger technology, data standardisation and machine-readable regulations, is making it easier and more cost-effective for companies to build and maintain robust AML solutions. However, investing in the latest AI/ML solutions will not result in the desired reduction in financial crime risk without cohesive, well-functioning, experienced in-house teams.

Andrea McGeachin: There are some operators and payments providers happy just to tick the regulatory box and move on. Of course, complying with the requirements of regulators is a primary responsibility. But that’s not our only responsibility and I, and Neosurf, genuinely believe we absolutely should go further. Particularly where gambling and gaming is concerned, we have social responsibility to ‘do the right thing’ and be part of a ‘responsibly’ structured industry. But it’s not just recognising our social and regulatory obligations around affordability and the like. At the centre of the role payments plays in our industry are both front-line users and operators. We need to deliver experiences that meet both their needs. For example, it is not good that those who are obliged to use braille should be forced to endure more complex customer journeys than others.

Tony Petrov: Staying compliant with shifting regulations is key, but it takes more than compliance to be a leading player in the industry. To stay ahead of the competition, it is vital to use the most advanced KYC/AML products on the market, such as transaction monitoring, or KYT (know-your-transaction). With KYT, for instance, gambling companies can successfully manage risks by monitoring and reporting suspicious activities, analysing user behaviour and cross-checking KYC data. Gaming companies should also think in advance about anticipated user traffic spikes ahead of major events like the Olympics or World Cup.

Declan Raines: Compliance with best practices and established regulatory regimes in AML and KYC are the bare minimum for customer protection, and avoiding fines and civil or criminal judgements. While it’s also crucial to weigh compliance costs with demonstrated needs, it is equally important for companies to expend effort tracking developments in AML, predicting the need for updated policies, procedures and controls, and fostering a culture of compliance. Having an enterprise compliance solution at the foundation that prioritises flexibility, along with the broadest and highest quality data, are key components in allowing gaming operators to react and stop fraud as it evolves.

HOW DO REGULATIONS DIFFER ACROSS DIFFERENT REGIONS WHEN IT COMES TO AML FOR EXAMPLE IN EUROPE, ASIA OR NORTH AMERICA?

David Zammit: Enforcement actions and penalties for non-compliance with anti-money laundering (AML) regulations continue to increase. The trend of legislating stricter AML regulations and ensuring their implementation can be seen in Europe, Asia and North America. There have been significant advances in money laundering legislation within the European Union, but with varying levels of implementation. A series of Anti-Money Laundering Directives (AMLDs) were passed during the last three decades. At the end of 2020, the United States passed a series of acts with significant changes and enhancements to the AML rules. Some of those new rules, such as a national beneficial owner registry and whistle-blower protections, bring the United States in line with existing EU rules. According to the Financial Action Task Force (FATF), a significant number of jurisdictions around the world report a continued increase in money laundering.

Andrea McGeachin: This is where the main challenge sits. While the AML rules are broadly consistent from country to country, in each we have a gambling regulator and we have a payments regulator, and the interpretation of the payments regulation versus the gambling regulation can differ. On the other hand, the KYC requirements across jurisdictions can differ. So we are left with the need to maintain complex matrices, constantly monitored to ensure we satisfy all the necessary regulatory obligations on us. Some jurisdictions, such as Germany, tend to apply rules more strictly than others, and a further complexity lies in the application of GDPR; setting out what information can be shared from regulator to regulator and country to country.

Tony Petrov: Since almost all national AML regulations follow FATF recommendations, AML/CFT requirements do not differ significantly country to country. The main aspects of AML compliance will therefore always be customer due diligence (CDD) procedures, risk assessment, ongoing monitoring and suspicious activity reporting. So even if a gaming company doesn’t yet fall directly under the AML supervision, it would be reasonable to get in line with AML requirements in advance since the industry is expected to be regulated across the board in future. Asia is a diverse region in terms of AML and gaming laws, but there is a general trend towards legalisation and therefore regulation of the industry.

Declan Raines: Financial services and designated non-financial businesses and professions, like money services businesses, casinos, or jewellery dealers, are subject to their respective national AML regulations, like the EU Money Laundering Directives, the Patriot Act, or AMLA. However, to transact abroad they must also demonstrate due diligence in meeting foreign regulatory requirements.