iGaming Law

Aligning Standards: A Comparative Analysis of Curacao’s New AML/CFT Regulations and FIAU’s Implementing Procedures for Remote Gambling

18 Jun 2024

10 min read

Author: James Bartolo

In an era where the digital frontier of gambling continues to expand, the battle against money laundering and terrorist financing remains a critical challenge. Recent developments have seen the Curacao Gaming Control Board (GCB) issue new Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) Regulations (the Regulations) aimed towards the online gaming sector. These regulations, effective from May 2024, are designed to enhance the integrity and security of the gambling environment in Curacao.

Interestingly, these regulations bear significant resemblance to the Implementing Procedures (IPs) issued by the Financial Intelligence Analysis Unit (FIAU) in Malta, specifically Part II pertaining to the Remote Gaming Sector. The FIAU’s guidelines, established in conjunction with the Malta Gaming Authority, have long been a benchmark in the remote gaming sector for their rigorous standards and comprehensive approach.

This article delves into the similarities between Curacao’s new Regulations and the FIAU’s IPs, highlighting the unified global effort to combat financial crimes in the gaming industry. By comparing these frameworks, one can appreciate the shared commitment to fostering a secure and transparent gambling environment, ensuring that operators adhere to the highest standards of compliance and ethical conduct.

1. The Risk Based Approach

      Both the Regulations as well as the IPs emphasise the importance of a risk-based approach (RBA)[1] to AML/CFT. This approach requires gaming operators to implement measures that are proportionate to the assessed risk levels.

      The GCB Regulations stress that casinos must develop and implement an RBA to manage ML/TF risks effectively. This involves conducting thorough risk assessments to understand the potential risks within their operations. Casinos are required to assess various risk factors, including the geographical location of their players, the types of games offered, and the methods used for transactions. Based on these assessments, casinos must create and implement policies, procedures, and controls that are proportionate to the identified risks. The Regulations also mandate that these risk assessments be dynamic, meaning they should be reviewed and updated regularly to reflect any changes in the risk environment.

      Similarly, the FIAU IPs mandate that all licensees in the remote gaming sector adopt an RBA. This involves conducting both business and customer-specific risk assessments. Licensees are required to document their risk assessments, explaining the methodology used, the reasons for categorising certain risks as high, medium, or low, and the outcomes of these assessments. The risk-based approach under the FIAU framework also necessitates continuous monitoring and updating of risk assessments to ensure they remain relevant and effective in identifying and mitigating potential risks.

      2. Business & Customer Risk Assessments

      The Regulations require operators to perform a Business Risk Assessment (BRA)[2] to evaluate the ML/TF risks associated with their overall operations. This includes examining the types of products and services offered, the methods of delivery, and the geographic locations of their customers. Casinos must also conduct Customer Risk Assessments (CRA)[3] to evaluate the risks posed by individual customers. This involves collecting detailed information about the customer to develop a risk profile, which helps in categorising the customer’s risk level as low, medium, or high. Both the BRA and CRA must be documented, approved by senior management, and updated regularly to reflect any changes in the business environment or customer behaviour.

      Similarly, the IPs also require licensees to conduct comprehensive risk assessments at both the business and customer levels. These assessments must be well-documented, explaining the methods used, the rationale for risk categorisation, and the results of the assessments. The procedures highlight the importance of revising these assessments whenever there are significant changes in the business environment or the behaviour of customers. The FIAU also mandates that these risk assessments should be reviewed and approved by senior management and made available for regulatory review when requested.

      3. Customer Due Diligence

      Under the Curacao Regulations, casinos are required to apply Customer Due Diligence (CDD)[4] measures when establishing a business relationship or when a transaction reaches or exceeds a specified threshold of Naf. 4,000 (circa €2,000). The CDD process involves identifying and verifying the customer’s identity using reliable, independent source documents, data, or information. Enhanced Due Diligence (EDD)[5] measures are mandated for higher-risk customers, such as those from high-risk jurisdictions or politically exposed persons (PEPs)[6]. The Regulations also allow for Simplified Due Diligence (SDD)[7] measures in lower-risk scenarios, provided this is justified by the risk assessment. Operators must document all CDD measures and ensure that they are proportionate to the assessed risks.

      Similarly, the IPs also emphasise the necessity of applying CDD measures at the onset of a business relationship or when conducting occasional transactions that meet or exceed €2,000. The CDD process includes identifying the customer, verifying their identity, understanding the nature of the business relationship, and conducting ongoing monitoring of the customer’s activities. Enhanced measures are required for high-risk customers, such as PEPs or customers using unusual methods of funding their accounts. The procedures also allow for simplified measures in lower-risk situations, but only if supported by a thorough risk assessment. Documentation of all CDD measures is mandatory, and ongoing monitoring is crucial to detect any unusual or suspicious activity.

      4. Reporting and Monitoring

      Effective reporting and monitoring mechanisms are essential aspects of both regulatory frameworks to detect and prevent ML/TF activities.

      The Regulations mandate that operators establish robust procedures for monitoring customer transactions and reporting suspicious activities to the Financial Intelligence Unit (FIU)[8]. This involves setting up systems to identify unusual or suspicious transactions that deviate from a customer’s normal behaviour. Casinos must ensure that their compliance officers are trained to recognise these transactions and report them promptly to the FIU. Additionally, the regulations mandate continuous monitoring and regular updates to the AML/CFT policies and procedures to adapt to evolving risks and regulatory changes.

      Similarly, the FIAU’s IPs mandate that licensees establish and maintain effective monitoring systems to detect and report suspicious activities. This includes appointing Money Laundering Reporting Officers (MLROs)[9] responsible for overseeing the reporting process. Licensees must ensure that all suspicious transactions are reported to the relevant authorities without delay and that adequate records of these reports are maintained. Continuous monitoring of customer transactions is required to ensure they align with the customer’s known profile and risk assessment. The procedures also emphasise the importance of regular training for staff to ensure they can identify and reporting suspicious activities.

      5. Specific Risk Factors for the Gambling Sector

      Both documents identify specific risk factors associated with the gambling sector and provide guidelines on how to mitigate these risks. The Curacao Regulations highlight various specific risk factors unique to the gambling sector, such as the use of anonymous payment methods (e.g. prepaid cards), peer-to-peer gaming, and the potential for large cash transactions. The Regulations require casinos to develop detailed policies and controls to manage these risks effectively. This includes setting transaction limits, conducting enhanced due diligence on high-risk customers, and monitoring for unusual betting patterns or large cash movements.

      The IPs also identify and address specific risk factors pertinent to the remote gaming sector. These include risks associated with customer anonymity, high-value transactions, and the use of electronic wallets. The procedures provide detailed guidelines on how to mitigate these risks through appropriate due diligence measures, transaction monitoring, and regular audits. Licensees are encouraged to use technology and data analytics to enhance their ability to detect and prevent suspicious activities related to these specific risk factors.

      Conclusion

      The new Regulations issued by the Curacao GCB and the IPs by the FIAU for the remote gaming sector reflect a significant alignment in their approach to combating money laundering and terrorist financing within the gambling industry. Both sets of regulations adopt a comprehensive and risk-based framework, demonstrating a shared commitment to safeguarding the sector against financial crimes.

      By emphasising the importance of a risk-based approach, both regulations ensure that gambling operators can implement tailored AML/CFT measures that effectively address specific risks. This alignment indicates that the Curacao GCB is taking a cue from the well-established FIAU IPs, incorporating similar thorough business and CRAs. These assessments are vital for identifying and mitigating potential ML/TF risks, and they must be continuously updated to stay relevant to the evolving risk landscape.

      The detailed requirements for CDD in both regulatory frameworks are crucial for accurately verifying customer identities and monitoring their activities. Enhanced measures for higher-risk customers provide additional safeguards, reflecting a consistent approach across both jurisdictions. The emphasis on monitoring and reporting mechanisms ensures that casinos and gaming operators have robust systems to detect and report suspicious activities, maintaining compliance with international standards.

      Specific risk factors unique to the gambling sector, such as the use of anonymous payment methods and high-value transactions, are addressed in both frameworks. This highlights a shared understanding of the industry’s inherent vulnerabilities and the need for detailed guidelines and controls to mitigate these risks effectively.

      In conclusion, the Curacao GCB Regulations appear to be closely aligned with the FIAU’s IPs, suggesting an effort to adopt best practices from the established regulatory framework in Malta, while tailoring them to the local context in Curacao. This alignment underscores a unified commitment to maintaining the integrity and security of the gambling sector. By adopting these comprehensive measures, remote gambling operators can significantly reduce the risks of money laundering and terrorist financing, ensuring a safer and more transparent gaming environment.


      [1] A methodology used by subject persons (such as financial institutions, professionals, and other entities subject to AML/CFT regulations) to identify, assess, and mitigate the risks of money laundering and terrorist financing they are exposed to.

      [2] A comprehensive evaluation that subject persons must undertake to identify and understand the risks of ML/TF to which their business is exposed. The purpose of the BRA is to ensure that subject persons have a clear understanding of these risks and can implement appropriate measures to mitigate them.

      [3] Evaluating the risk of ML/TF posed by individual customers or customer segments. The goal of a CRA is to determine the level of due diligence and monitoring appropriate for each customer based on their risk profile.

      [4] The process through which subject persons (such as financial institutions, professionals, and other entities subject to AML/CFT regulations) collect and verify information about their customers. The purpose of CDD is to ensure that subject persons know who their customers are and understand the nature of their business relationships and transactions.

      [5] Additional measures taken by subject persons to manage and mitigate higher risks of money laundering and terrorist financing. EDD is applied in situations where the risks are greater and therefore warrant more stringent controls and scrutiny.

      [6] Individuals who are or have been entrusted with prominent public functions and their immediate family members or close associates. Due to their positions and influence, PEPs are considered to pose a higher risk of being involved in money laundering and terrorist financing activities.

      [7] A set of measures applied by subject persons (such as financial institutions, professionals, and other entities subject to AML/CFT regulations) in situations where the risk of money laundering or terrorist financing is considered low. The application of SDD allows for reduced verification requirements and less frequent monitoring compared to standard due diligence.

      [8] A government agency responsible for collecting, analysing, and disseminating information related to unusual or suspicious financial transactions. This unit plays a crucial role in the fight against money laundering, terrorism financing, and other financial crimes.

      [9] A designated officer within a subject person (such as a financial institution or other regulated entity) who is responsible for overseeing and managing the entity’s AML and CTF activities.


      Share