Sustain the Success of Your Online Gambling Business

Nestled in the heart of the Irish Sea, the Isle of Man has emerged as a powerful launch pad for regulated gaming businesses.

The Island’s journey to becoming a global hub for online gambling and e-gaming has been one of relentless commitment to integrity and innovation, making it a go-to destination for businesses seeking a secure and thriving environment in the digital gaming realm.

A key principle for all regulated businesses should be to learn from past experiences. As long-term compliance experts working with various regulatory bodies, Impact Professional Services often seeks out best practices that can be applied across businesses, regardless of which regulatory body governs them.

In this blog, Nick Wait, Managing Director of Impact Professional Services, looks at key findings from the 2023 Isle of Man Financial Services Authority TSCP Business Risk Assessment Review and how these findings can be applied to businesses regulated by the Isle of Man’s Gambling Supervision Commission (‘GSC’).

What is a Business Risk Assessment and How Does It Help Your Business?

“A Business Risk Assessment (BRA) is a key part of a firm’s compliance and risk management framework to help detect and prevent money laundering and terrorist financing. The BRA needs to be checked regularly to ensure it is still fit for purpose, and it should be continuously reviewed and updated when circumstances change or new risks or threats emerge.” Ian Spence, Head of the IOMFSA AML/CFT Supervision Division.

A BRA ensures that everyone in your business understands the appetite for risk. A well communicated BRA informs a business’s culture, procedures, policies and checklists at every level of the business.

If Anti Money Laundering or Countering the Financing of Terrorism regulations are breeched it can result in public prosecution and serious damage to a business’s reputation.

When a business’s BRA is fit for purpose, it ensures operational efficiency and safety.

So, it’s in everyone’s interest to get it right.

The 2023 Thematic Review by the IOMFSA Relating to Trust and Corporate Service Providers (“TCSPs”)

The IOMFSA published the findings of phase one of a thematic review relating to Trust and Corporate Service Providers (“TCSPs”) on the 12 July 2023, with Phase 2 Findings published on 30^th January 2024.

A Business Risk Assessment questionnaire was sent to a cohort of Island firms to assess how they are meeting their obligations in respect of the Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) Code 2019.

The phase one report sets out the responses submitted by 106 licence holders, as well as the Authority’s observations on the data and some examples of best practice.

Phase two of the project, consisting of desk-based inspections focusing on a firm’s BRA, sets out the findings, including examples of best practice, case studies, and the Authority’s observations.

The TCSP sector is identified in the Isle of Man National Risk Assessment as one of the highest risk business sectors in the Island. The Authority is conducting the thematic review to test the strength of measures and controls put in place by firms to mitigate Money Laundering and Financing of Terrorism related risks and protect their businesses from potential abuse by criminals.

It also provides an opportunity for the Authority to enhance its engagement with firms and to share the findings and feedback with industry.

We recommend that all firms, whether regulated by the IOMFSA or by the Gambling Supervision Commission, read both phase 1 and 2 reports and take any action necessary to ensure their own risk-based compliance regimes in relation to BRAs are effective, up-to-date, and properly documented.

What Should Be Contained in a Business Risk Assessment (BRA) for an Online Gambling Business?

A BRA should clearly set out the risks a business faces in relation to customers and their activities and explain the basis of the assessment.

It should highlight how much, and what level of risk the business is prepared to take. Additionally, the BRA should clarify what risk the firm is not prepared to take.

Other Key Points to Include

There should be a documented Risk Appetite Statement or associated Policy.
There should be a documented Anti-Money Laundering / Countering the Financing of Terrorism Policy in place.

The BRA should:

be informed by other risk assessments required by the Gambling Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the Code) as well as the Isle of Man National Risk Assessment.
detail the composition of the customer base and where the risks are. For example, how many high & standard risk clients, Politically Exposed Persons split by domestic & foreign and high & standard risk ratings.
incorporate the link to Customer Risk Assessments as a key source of information.
contain evidence of the BRA’s review and approval, for example extracts of Board minutes.
be communicated to the entire business.
have clearly documented reviews and approvals, using a version control.

Additionally:

there should be a process in place to ensure the timely supply of information or documentation requested by the Authority.
there should be a documented Risk Assessment Methodology / Risk Scoring Matrix in place to:
- assess the inherent risks relevant to the business.
- identify mitigating factors and controls to manage the impact of the risks.
- assess the risk impact.
- assess the effectiveness of the controls in place.
- assess whether the residual risk is within the documented risk appetite.
- assess the likelihood / probability of the risks.
- assess the cumulative risks.

Some Wider Points to Consider

If the business is part of a Group, the BRA should consider the specific risks relevant to the Isle of Man licence holder.
Any areas for development highlighted in the BRA should be reported to the Board / senior management team.
It’s important to identify whether there any barriers in place to prevent the operation of effective systems & controls.
Record keeping requirements should be followed. Previous versions of the BRA should be kept for a minimum of 5 years.
If the BRA would be reviewed and updated at a trigger event this should be documented

Important ‘Housekeeping’ tips for Ensuring a BRA Continues to Be ‘Fit for Purpose’.

Ensure a regular review of what is in your BRA and that it adequately reflects your business’s appetite to risk
Ensure that everything is documented and there is a central store for documents
Review who has, and should have, contributed to the BRA
Ensure that everyone in the business is aware of the BRA (trickier in larger organisations)
Ensure that the BRA has been reviewed in the last 12 months
Ensure that the board have taken time to review and digest the BRA in the last 12 months.

Conclusion

As e-gaming and i-gaming enterprises navigate the complex landscape of compliance and risk management, the recent IOMFSA review serves as a poignant reminder of the importance of a well-structured BRA.

Incorporating the insights gained from this review will not only safeguard consumers but also protect against financial crime, fostering and sustaining confidence in all regulated sectors through the vehicle of effective regulation.

While the costs associated with compliance are not insignificant, they pale in comparison to the potential consequences of non-compliance.

The Isle of Man’s regulatory journey stands as a testament to the fact that in the world of e-gaming, understanding, and implementing sound risk assessment practices are not just obligations but essential strategies for long-term success and sustainability.

As businesses look to thrive in the ever-evolving digital gaming sector, the Isle of Man provides a compelling blueprint for achieving both regulatory excellence and operational efficiency.

Impact Professional Services support regulated finance and e-gaming businesses in the Isle of Man with compliance and risk expertise. From license application and procedure documents to one off projects and Independent monitoring and oversight – we’re here to support your navigation of the regulatory landscape.

An initial chat costs nothing. If you’re ready to find more peace of mind when it comes to compliance for your organisation, contact us today – we’d be very happy to help.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.