British Gambling Commission warns AI tools may be undermining operator compliance
The regulator has warned that AI tools are often poorly configured and not understood by operators.
UK.- The British Gambling Commission has highlighted its most recent concerns and actions from compliance and enforcement activity. Amid a range of topics, the regulator identified an emerging risk in operators depending on AI-powered tools for anti-money laundering purposes.
The Gambling Commission said it had seen an increase in the use of artificial intelligence (AI), algorithms and behavioural models often intended to identify red flags for money laundering and terrorist financing (MLTF) within a customer’s profile and/or behaviour. Many of these tools give an aggregated score that can be used to generate (or contribute to) a customer’s risk rating, it noted.
However the regulator said that while AI controls can be a useful tool, it found that some operators do not fully understand how their algorithms work as an AML control and have not ensured that they have been implemented effectively.
It said it had identified compliance concerns where, due to the configuration of the algorithm, high-risk indicators had not been identified and/or escalated. It also noted examples where models need a certain level or length of activity before they will score a customer. This can mean that some customers are able to conduct high levels of activity in the early stages of opening an account that is not subject to the controls from the algorithm, it said.
“When implementing AML controls, operators need to ensure that their controls address the risks identified in their MLTF risk assessment, and that such controls are appropriate to the business and implemented effectively,” the Gambling Commision said.
In some cases when an account has been escalated by the algorithm, the relevant team has been unable to see why the escalation was generated, and have not been able to address the risks because they are unaware of what has been identified by the model.
It also cited examples where third parties, including artificial intelligence (AI) and consultancy firms, have been used to draft operator’s risk assessments, and policy, procedure and control documentation and where incorrect information has been included.
The regulator said it would be reviewing operators’ AI tools to check their effectiveness. It also stressed that operators should ensure that staff responsible for resolving escalations from these models have sufficient information to address the risks identified and can effectively implement AML procedures.
“During compliance assessments, we will typically ask for information about the algorithm’s methodology to assist us in assessing whether the control is appropriate and implemented effectively, particularly in addressing the risks identified in the operator’s risk assessment.
“We will examine what is scored, how this is weighted and why, what the thresholds for different risk levels are, how escalations are triggered, and how the operator ensures the effectiveness of the algorithm. Where the control in place is a predictive model, we will seek to understand what the model is trying to predict and how it makes these predictions.
“During the customer review part of the compliance assessment, we will examine how the algorithm operates in practice in relation to specific customers, and test whether this is appropriate and effective.”
Other Gambling Commission compliance concerns
Among other concerns, the regulator said it had seen cases where operators had not followed a sufficiently risk-based approach when compiling their money laundering and terrorist financing risk assessments because they had not considered all relevant risks associated with their operation, including those within the Gambling Commission’s risk assessment and our emerging risks bulletins.
Another issue identified was a disconnect between risk assessments and policies, procedures and controls. The Gambling Commission also identified cases where risk profiles of individual customers were not compiled in line with guidance, including examples where risk factors related to a customer had not been identified at all.
“Operators will need to consider who the customer is, what they do, where they live and do business, and the nature of the product or service they require,” the report says. “This information will enable the operator to determine the level of risk associated with the customer and, in turn, the initial and ongoing customer due diligence and monitoring that is required. Full details of the source of funds to be used in the relationship will also need to be established using a risk-based approach.
“Customer risk profiling must be informed by the operator’s wider risk assessment, and operators need to assess the extent to which a particular customer triggers the risk factors considered in the risk assessment and graduate the risk profile of the customer, and the level of customer due diligence undertaken, accordingly.”
See also: New Gambling Survey of Great Britain shows stable market and no rise in problem gambling
The regulator also cited an over-reliance on financial threshold controls in cases where licensees only began customer risk-profiling and associated risk-based customer due diligence procedures when a financial threshold had been reached, despite other, non-spend related risk factors being clearly present from the commencement of the business relationship. In some examples, there was an over-reliance on financial thresholds to the detriment of other risk factors, and thresholds set at an inappropriately high level.
Other issues included documentation and information not being appropriately scrutinised. This included bank statements with significant third-party deposits evident and/or outgoings higher than income and examples where record keeping and decision logs were not adequately maintained in relation to the review of customer documentation. In some cases, Personal Management Licence (PML) holders were found to have insufficient oversight of AML controls and to have not taken appropriate steps to ensure compliance is achieved.
The Gambling Commission reminded operators that Licence condition 12.1.1(3) requires them to ensure that their policies, procedures and controls take into account any applicable learning or guidelines.
