Risk assessment methodology for financial and other service providers specifically for the gambling industry

The following is a transcript of a presentation titled “What is the risk to us?” by Jason Chess at the KPMG in Malta Gaming eSummit, 18 November 2016 at 5pm.

Good Afternoon everyone. Risk is an important topic today. We need to know what constitutes the sheer legal risk of acting as a payment processor, or as a service provider, or as any kind of facilitator to a B2C gambling site. Consider the portal of your chosen channel behind that B2C gambling site – there’s a big supply chain. There are B2B suppliers, there are platform operators, there are KYC providers and there are payment processors. Payment processors and the banks occupy an especially risky part in that supply chain because if the man at the front of the chain does something wrong then that illegality can taint the whole chain, right to the end. So, your first question should be, who am I going into business with? Are they criminal? Or am I dealing with a cautious, respectable business that I can turn around and justify to my shareholders?

At Wiggin in England we currently give this advice to banks and to payment processors, we advise Barclays and Worldpay, and we currently have 84 territories under constant daily real time review for our various clients. It’s a big, important part of our business. What will happen with the Payment Services Directive is, that when more people come into the markets, and there’s more choice, there will be more people needing this advice and Fintech companies who have no knowledge of the gambling market are going to want to be sure that they’re dealing with respectable people.

What can go wrong if you’re a payment provider, or a bank, or a service provider, or even a B2B provider? If you get into bed with an operator who isn’t as sensitive to risk as you, or may be sensitive to risk but like a lot of operators, they simply don’t take paid advice, or the money they’re getting from grey or indeed black markets is so significant that they’ve got their heads in the sand – they don’t want to listen to the advice they’ve been given. We’ve all come across those scenarios when we deal with service providers to B2C operators. If that’s your attitude, you’ll store up a load of trouble for yourself. Generally, in criminal law if you help someone do something wrong you’re aiding and abetting. The principle is that you’ll be charged along with the perpetrator in the same way. In some jurisdictions, for example, in Germany, and in UIGEA (Unlawful Internet Gambling Enforcement Act) in the US, and in Norway: there are specific laws aimed at payment service providers. It’s an awful lot easier to strangle the supply of money to a gambling site than it is to go to the Isle of Man, or Malta, to prosecute the gambling site. Hence under many regimes there are specific offences.

If you’re a payment service provider, or a processor, or if you’re taking payments from a B2C company and they’re operating in an illegal jurisdiction, taking money from the US, the Far East, or Indonesia for example, you may be in receipt of criminal proceeds. If that happens you’re not only money laundering under European Law but you could be racketeering – what the Americans call laundering, under US Law.

This map of Europe shows the complexity. We have certain criteria to observe in the Netherlands, prohibitive tax in Portugal, non-compliance in Germany, Hungary is unstable and corrupt, Turkey is a black market, in Russia there are ISPs, in Scandinavia there are monopolies. We supposedly have a regulated market across Europe, it’s a liberated market, but in reality, we don’t. It’s a patchwork of independent regimes which present very different risks and what you must do is to assess your customers’ activity in each of those. Even somewhere like Finland, if you establish a nexus with that country, and have it in the Finnish language for example, or if you have on-shore advertising, that will affect the risk balance and the likelihood of Finnish courts assuming jurisdiction over you. How do know as a service provider whether your customers do that or not? Well you don’t unless you enquire but the risk you take in dealing with that particular customer is very germane.

If you think the risk for Europe is problematic, travel to China, Taiwan, Hong Kong, Indonesia, the Philippines, the Far East: the risks are even greater. There are many people who take Sportsbooks out of the Far East: that activity is plainly unlawful under the domestic law of a lot of jurisdictions, for example, in Singapore, where the law applies extra-territorially. Do you know whether your costumers have enquired or taken advice under Chinese law? Do you know whether your customers understand the extra-territorial effect of Chinese law? No, you don’t, and that will affect whether you as a service provider, as a bank, as a payment processor commit an offence under that body of law.

When we look at the world and measure risk, remember that the B2C operators and the portals are under commercial pressure to open in new markets, because the existing markets are saturated and it’s becoming more expensive to buy market share in the existing markets. So there’s pressure to get into places like the Far East, and develop new markets, but you’re dealing with uncertain legal regimes where there’s a high prospect of illegality. You need to ask yourself, do you need the money enough? Are you going to get pulled off the plane in China, are you going to get your offices raided? Are you going to be jailed in Singapore or Malaysia? Or in Indonesia, where in many places, Sharia law might apply to gambling? Are you going to take a risk like that by servicing these customers?

The answer is to develop a methodology for identifying and assessing that risk. It’s a part of servicing your customers. It’s an educated methodology as to how you identify the particular risk that a particular customer in a particular range of markets, poses to you.

This is the methodology we use. Start in the grey square; follow your way to another grey square: is on-line gambling prohibited? Does the client have a licence? Look at the criteria, you follow the track through and it will get you out in one of three places.

Green is a Yes, or it will get you out in a No, or it will get you out in a Maybe (which is amber). This means that if the client has a licence, then you’ve got a licence and it’s a regulated market, and you’re fine, you emerge in the green bit. If you’re servicing someone in the UK they’ve got a British licence that’s fine, someone’s taking Sportsbook in France they’ve got an ARJEL licence, that’s fine too. But if someone has a Schleswig Holstein licence and they’re trading in the rest of Germany, you’re not fine. You might have someone who has a Romanian licence, or attempting to apply for one, doing a joint venture with a local casino in Hungary. Those regimes may or may not be compliant with basic EU laws.

So, it’s a quandary: do you back the client as it goes into an unregulated, or a non-EU compliant regime, or not take the risk? In Germany, in Hesse, where the authorities starting writing to payment processors and banks because that was the only way they could think of giving some respectability to the state treaty. But if the questions aren’t so clear, you get into quite a complicated risk matrix there’s a great big huge collection of all sorts of things that you have to shakeup in the air and see where they come down). And what that does it is grades or it quantifies the risk that you’re taking. You then take that risk assessment into your own business processes and you decide whether or not how badly you want the money and the client? How much money will you make? Do those things outweigh the risk assessment that you’ve calculated?

This is the sort of risk assessment checklist that you will go down for any particular jurisdiction. Is gambling legal or illegal? Does the domestic law apply territorially, does it apply extra-territorially? Does the client have a particular connection with the territory? For example, language clients or currency? EU compliant or not? Are players criminalised, like in Belgium or Poland? Do you want to take money of someone who’s committing a criminal offence in the jurisdiction as a player? Are there specific offences for payment processing? Very importantly, does the regulator actually enforce any of this? No one’s frightened of the German authorities because we know they haven’t got a leg to stand on in terms of EU compliance, but the Turkish authorities are very happy to go around and break into people’s offices and the Americans will pull you off the plane! Who’s to say the Chinese won’t do that? There are many domestic prosecutions in China right now and the Malaysians have shown a similar readiness. If you do get into trouble with these people, will they have the guts to come after you? Have there been historical prosecutions? Are the local courts crooked? There are lots of places, including in the EU, where the head of the Gambling Commission is the brother of the President and the judge is the cousin-in-law and it’s all done on family ties and back handers – let’s be honest. Can you rely upon a fair hearing and a fair judicature? Look for example at the Middle East, are you going to take into account local custom and local culture in the assessment of whether you want to support gambling businesses in these territories? The answer to most of these questions actually comes out in a red, green or an amber as I demonstrated.

This one I did notionally for Germany. Remote gambling is pretty much illegal, so you get a red for that. The jurisdiction of domestic laws don’t really apply because they’re non-compliant with the EU: you get an amber. If you have a presence in the territory it makes it a bit easier for them to come after you, but it doesn’t guarantee it, so that’s an amber. Are they EU compliant? No, obviously not, so you get a green for that, that’s something we can use in our favour. Is there a potential for aiding and abetting? Yes, there is. So, what happens is you go down and fill it in and you look at it based on the colours that you see in the extreme right hand column. You will get a preponderance of one colour – in this case green – and on that basis, we’d probably go ahead and service Germany because it’s unlikely to come home to roost.

That’s a quick snapshot of how you develop the methodology for an individual territory in terms of the legal and regulatory risk that you face for servicing your customers there. There’s a reason that the output of this process is like a traffic light: if a green light goes on for you, then you’re happy to give services to someone in France who has an ARJEL licence. A red light will come on if you can’t take business out of the States, or Turkey, or Israel.

But a lot of places will fall in the middle, where it isn’t clear where they’re cut. You can’t be 100% sure that they won’t pull you off the airplane or shut down your bank accounts or offices but it doesn’t feel serious enough for you to pull a lucrative business out of that territory. It doesn’t feel that bad, and you go in with open eyes. Watch out, and if it looks like going towards red, you reconsider your position, and if they regulate and they go to green then you’ll expect your clients to get the licences and do what they need to do.

Finally, here’s the actual work product that we generate for clients at the end of these very complicated risk analyses. I’m taking the example of Switzerland, because it’s a funny little place with lots of weird laws and a lot of different permit interpretations. It’s a good example, a complicated messy system of law to apply your methodology to and see whether anything meaningful pops out at the end, and it does. With the authorised, local guys, of course you can service them. The unauthorised local guys with a presence in the territory – well don’t service them because you’re just aiding and abetting a crime in the jurisdiction. For people outside of the territory it’s fine because the Swiss tend not to enforce their law extra-territorially but do make sure that they don’t have an on-shore presence, and that advice holds good for places like China and the Far East too. If your client is happily taking money through a Swiss bank account, don’t service him either because they’ll go after him over there.

In short, that’s the sort of output that you get to, and as pressure increases on the B2C businesses to develop new verticals and new markets, the risk and the complexity of us as service providers in backing them will increase. In addition to the cyber security and the other risks we’ve talked about today you need a good solid methodology just to make sure that you’re not actually aiding and abetting a criminal offence, you’re not money laundering, you’re not handling the proceeds of crime and you’re not finding yourself barred from a jurisdiction where you havecommitted an offence. It’s the basic legality of the services you supply, it’s very complicated but that’s the methodology that gets you out of the woods. Thank you for listening.