FIAU slaps €236,789 fine on iGaming firm for breaches in anti-money laundering rules

The Financial Intelligence Analysis Unit (FIAU) has fined Glitnor Services Limited €236,789 due to irregularities found during a compliance review carried out in 2019.

It also imposed a reprimand and follow-up directive on the iGaming firm so it may assess its implementation of its action plan to solve the identified issues.

Glitnor Services Limited registered as a company in 2018 and holds a B2C licence with the Malta Gaming Authority.

The compliance review report revealed that the firm’s business risk assessment was deemed not comprehensive since it failed to consider all the risks to which the company is exposed.

The report stated that it lacked a complete assessment of the firm’s jurisdictional risks, given that only the ‘reputability’ of a particular jurisdiction was considered, while also not giving reference to the source/s used to rate the jurisdictions.

It said that the firm should have considered other factors, such as countries which are known to suffer from a significant level of corruption, are at risk of drug trafficking or other prevalent crime, political instability, are subject to international sanctions in connection with terrorism or are known to have terrorist organisations operating within the countries, among other factors.

Nevertheless, the FIAU positively acknowledged the firm’s commitment to revise its BRA in line with the FIAU’s recommendations and in line with requirements applicable at law.

The FIAU also noted shortcomings in the firm’s customer risk assessment (CRA) and customer acceptance policy (CAP).

Concerning the CRA, the firm did not consider the customer’s residence and geographical elements in connection to the customer’s source of wealth or funds. Furthermore, no consideration was made to the risk posed by the customer’s source of wealth or economic profile, including elements such as whether the customer had single or multiple sources of income.

However, it did acknowledge that since the compliance exam, the firm has adopted a new CRA scoring methodology which considered all risk pillars.

During the examination, the company’s policies and procedures dealing with requirements to collect information on the purpose and intended nature of the business relationship were deemed as not being entirely in line with the obligations at law.

This is mainly due to the company’s own policies and procedures not requiring it to request source of wealth or funds information and/or documentation in order to create a business and risk profile upon a customer reaching a €2,000 deposit threshold.

In addition, while the company provided risk ratings for all of its customers, it did not explain how it arrived at such ratings.

The FIAU also noted that no sufficient information was obtained on a player’s anticipated level of activity or employment.

The firm stated that it sought information on every player and obtained a clear understanding of each customer’s expected level of play through a combination of statistical modelling and player information.

While the FIAU acknowledged that this could be the right approach, it was not supported by any evidence.

There were also shortcomings in the firm’s transaction monitoring, enhanced due diligence, and politically-exposed-persons (PEP) screening.

At the time of the commencement of the compliance exam, the company failed to conduct PEP screening on over 80 per cent of its customers, all of which reached the €2,000 deposit threshold.

Although the company stated it conducted PEP screening during the compliance exam, it resulted that it failed to perform PEP screening on five of such players.

The FIAU however, positively acknowledged the firm’s statement that the remediation process undertaken shall ensure that all customers are screened upon reaching the applicable threshold.

Lastly, there were also concerns surrounding internal reporting and staff training.

During the examination, one player was noted to have lost €5,462 in less than five months, while they reportedly earned €300 a month, according to the payslip provided.

This player was found to have ignored three requests made by the firm and provided inadequate information for another two. They finally replied with a document from another gaming provider, which suggested that the player exceeded $500,000 (€456,000) worth of eligible transactions within one year.

The FIAU noted that although faced with the discrepancy in the player’s incoming salary and transactions carried out by them, the firm failed to request further information as to whether the player was a professional one, which would have aided the firm in understanding where the player generated their funds.

In view of this, it was determined that the firm should have flagged an internal report to the MLRO to understand whether there was any suspicion that the player’s funds were being generated illicitly.

Nevertheless, the FIAU took into consideration that the firm had some documentation the confirm the VIP status of the customer with another company.

Regarding training, one of the issues was that the firm’s material was found to be too generic, and not tailored to local AML/CFT regulations, nor the firm’s policies and procedures. Furthermore, there was a lack of proper bookkeeping on which employees underwent such training.

However, the FIAU acknowledged the firm’s statement that a refresher training course has been undertaken by all staff following the compliance exam and that all new employees are subjected to the induction AML training.

At time of writing, the penalty issued by the FIAU is not yet final and may be appealed by the firm.