British casino operators might be forgiven for thinking that there was a limit to the extent to which even more onerous regulatory burdens could be heaped upon them in the near future. However, more robust requirements in relation to both anti-money laundering controls and data protection are set to land on them that will demand preparatory steps to be taken now.
All casino operators in Great Britain have had to focus increasingly on their anti-money laundering controls following recent well-publicised investigations by the Gambling Commission into AML failings on the part of a number of high-profile operators.
In addition to this, at the beginning of May, the Commission announced proposed amendments to its Licence Conditions and Codes of Practice in relation to the prevention of crime associated with gambling.
The amendments (which are intended to come into force in Autumn 2016) follow a Commission consultation that took place at the end of 2015, in which it also consulted on an update to its AML guidance “The prevention of money laundering and combating the financing of terrorism”, the updated version of which will be re-published shortly. As well as the written responses to that consultation, the Commission has taken account of comments made during a series of stakeholder meetings and workshops held between October and December 2015.
The new rules will require casino (and other gambling) operators to:
• conduct an assessment of the risks of money laundering in their business, and show that they have effective policies, procedures and measures to mitigate these, and
• report to the Commission any criminal investigations involving them or their premises where it appears their measures to keep crime out of gambling have failed,
They will also allow licence-holders to determine the best approaches to adopt to achieve the crime prevention outcomes required by the Commission, including the use of improving technological tools.
According to Nick Tofiluk, the Commission’s Director of Regulation: “These new requirements encourage licensees to take a proactive and tailored approach to meeting their obligations to achieve meaningful results rather than focusing on processes alone.”
The EU General Data Protection Regulation (“GDPR”) was approved by the European Parliament on 14 April 2016.
When it comes into force in mid-2018, replacing the current Data Protection Directive, it will introduce a much stricter data protection compliance regime and a tiered approach to financial penalties, enabling fines of up to 4% of annual worldwide turnover (subject to a €20 million maximum) for the most serious infringements and 2% of annual worldwide turnover (subject to a €10 million maximum) for other infringements.
The GDPR will be directly applicable in all EU member-states without having to be transposed into national law. As a result, its provisions will be of equal relevance to British casino operators and other European casino operators alike.
Even if the “leave” vote triumphs in the UK’s EU Referendum on 23 June, it will be vital for the digital economy that the UK’s data protection laws are of a comparable standard with other major jurisdictions. As a result, British casino operators should not assume that the GDPR can be ignored. This has been confirmed by the Information Commissioner’s Office (“ICO”) that has said as follows in its “Statement on the implications of Brexit for data protection”:
“The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU. The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on.”
The two year time lapse before the GDPR comes into force means that there is time for casino operators to prepare for the data protection changes that are coming but they would be well-advised to start that preparation sooner rather than later.
The ICO has already published on its website advice on preparatory steps that should be taken now, but it is worth noting in particular that under the GDPR:
• data controllers and processors whose “core activities” involve “regular and systematic monitoring of data subjects on a large scale” will have to appoint a Data Protection Officer. This is going to catch all casino operators for whom regular and systematic monitoring (including behaviour tracking and profiling) of their customers – not only to ensure effective marketing but also to enable fulfillment of their AML and social responsibility functions – constitutes a core activity conducted on a large-scale basis
• a right to erasure will be introduced by the GDPR. This is likely to raise tricky questions for casino operators in relation to customer self-exclusions, bearing in mind their obligations both to retain records of self-exclusion agreements and, in the UK, to participate in multi-operator self-exclusion schemes. One hopes that the ICO and the Gambling Commission will enter into sensible dialogue to find the soonest possible answers to those questions.