20 December 2024: Public Statement regarding BMO Manx Limited

REGULATORY INVESTIGATION UNDERTAKEN BY THE ISLE OF MAN GAMBLING SUPERVISION COMMISSION IN RESPECT OF BMO MANX LIMITED (“BMO”)

A downloadable version of this public statement is available here  - Public Notice BMO Manx Limited 

1. Action

1.1 The Isle of Man Gambling Supervision Commission (the “Commission”) makes this public statement in accordance with powers conferred on it under section 19 of the Gambling (Anti-Money Laundering and Countering the Financing of Terrorism) Act 2018 (the “Act”).

1.2  The making of such public statement supports the Commission’s statutory objectives of, among other things, securing an appropriate degree of protection for customers of persons carrying on a regulated activity, reducing financial crime and maintaining confidence in the Isle of Man’s gambling industry.

1.3 Consequential to undertaking a regulatory inspection of BMO which identified prima facie contraventions of the Gambling (Anti-Money Laundering and Countering the Financing of Terrorism) Code 2019 (the “Code”) the Commission opened an investigation into BMO. This Public Statement details the conclusions and outcomes of that investigation.

1.4 In light of the same, the Commission has determined that it would be reasonable and proportionate, in all the circumstances, that BMO be required to pay a discretionary civil penalty in connection with these contraventions in the sum of £1,000,000 discounted by 30% to £700,000 (the “Civil Penalty”).

1.5 The level of the Civil Penalty reflects the failures admitted but also the fact that BMO and the BMO senior personnel co-operated with the Commission and agreed settlement at an early stage.

2. Background

2.1 BMO was licenced by the Commission pursuant to the Online Gambling Regulation Act 2001 (“OGRA”) between 5th August 2021 and 18th August 2023.

2.2 Commencing in May 2023, the Commission conducted an AML/CFT inspection in respect of BMO in accordance with its statutory powers (the “Inspection”). The Inspection, based on a sample of files, identified prima facie contraventions of the Code (the “Contraventions”). The identification of such Contraventions caused the Commission to consider that it was reasonable, necessary and proportionate in all the circumstances to commence a regulatory investigation.

3. Investigation conclusions

3.1 The Investigation identified a range of issues that, when assessed by the Commission against relevant Guidance and legislation established, at all relevant times when formerly licenced. BMO: -

3.1.1. did not conduct Enhanced Due Diligence despite the customers being identified as posing a higher risk of Money Laundering and/or Terrorist Financing, and identifying unusual activity as required by paragraph 14 (3) of the Code.

3.1.2. had a Customer Due Diligence policy that did not evidence the need for Enhanced Due Diligence or additional monitoring in the event of suspicious activity as required by paragraph 14 of the Code.
3.1.3. did not evidence consideration within policies and procedures to not proceed with customer relationships, terminating ongoing customer relationships or of making any internal disclosures in the event that Enhance Due Diligence was not provided within a reasonable timeframe as required by paragraph 14 (4) of the Code.

3.1.4. had a Suspicious Activity Reporting chain that was inefficient and diluted across BMO’s operations via Peru and Malta with numerous parties’ involvements before the MLRO could give true consideration of facts. Paragraph 22(a), (b) and (c) of the Code.

3.1.5. had failed to comply with paragraph 23(b) of the Code where, on a reasonable basis, internal disclosures should have been reported to the MLRO.

3.1.6. did not record and maintain procedures & controls for the purpose of identifying Politically Exposed Persons as required by paragraph 13 of the Code.

3.1.7. did not establish, record, maintain or operate appropriate procedures and controls sufficiently to ensure the verification of identity of its customers as required by paragraph 11 of the Code.

3.1.8. was unable to demonstrate that it had processes or any procedures around how or when ongoing monitoring was determined as required by paragraph 15 (3) of the Code.

3.1.9. had a Customer Risk Assessment and applicable policy that did not have regard to all relevant risk factors or those which may pose a higher risk of ML/TF as required by paragraphs 8 (4), and 8 (7)(b) and (c) of the Code

3.1.10. did not implement its Business Risk Assessment until circa 6 months after commencing online gambling activities, as required by paragraph 6 of the Code.

3.1.11. had not undertaken a Technology Risk Assessment and its Technology Risk Assessment policy was generic and not specific to its business or the risks relevant to its business, as required by paragraph 7 of the Code.

3.1.12. did not have appropriate procedures and controls to monitor and test compliance with AML/CFT legislation as required by paragraph 25 (1) of the Code.

3.1.13. had policies/controls which didn’t ensure that failure to provide CDD must result in the customer relationship being terminated and consideration of an internal disclosure being made, as required by paragraph 10 (5) of the Code;

3.1.14. had an AML/CFT policy that did not sufficiently delineate the responsibilities of the MLRO and AML/CFT Compliance Officer who have distinct regulatory requirements as required by paragraph 21 (1) and 25 (4) of the Code.

3.1.15. had an MLRO and AML/CFT Compliance Officer who was unable to demonstrate having sufficient access to information and resources at all times to properly discharge the responsibilities of these positions as required by paragraphs 21 (2)(c) and 25(4)(c) of the Code.

3.1.16. had an MLRO who was unable to demonstrate or evidence having full access to all relevant business information as required by paragraph 22(d) of the Code.

3.1.17. failed to comply on occasion with Code, paragraph 22(f) which requires that SAR’s are provided to the Financial Intelligence Unit ‘as soon as is practicable’

3.1.18. had policies which did not detail how quickly (i.e. as soon as is practicable) the MLRO must report knowledge of suspicion externally as required by paragraph 24 (2) of the Code.

3.1.19. it was found that the creation and review of key compliance policies and procedures were not undertaken by the AML/CFT Compliance Officer as required by paragraph 25 (1) and (4)(c) of the Code.

3.1.20. could not evidence the AML/CFT Compliance Officer had submitted a report to senior management as required by paragraph 25 (2) of the Code.

3.1.21. failed to meet the training and education requirements of the Code as numerous key role holders were not listed on the training register. Furthermore, of those staff listed, a number had not undertaken relevant training at least annually as required by paragraph 27 (1) of the Code.

3.2. The nature, extent and type of contraventions were of such a nature as to cause the Commission to conclude that, in all the prevailing circumstances, the imposition of a Discretionary Civil Penalty was appropriate.

4. Statement

4.1  The Commission is satisfied that the imposition of the Civil Penalty on BMO reflects the serious nature of the non-compliance and issues identified in relation to BMO.

4.2  It was further noted that BMO acknowledged the serious shortcomings in its operational arrangements at an early stage of the Commission’s investigation and there upon had entered into settlement discussions with the Commission and sought to resolve matters constructively and expeditiously.

5. Key Takeaways

1.  Acquiring a block of customers or transferring another book of business to an Isle of Man Operator requires careful scrutiny and analysis to ensure that the standards of compliance expected and required in the Isle of Man can be achieved. Greater risk may attach to such cases where customers are transferring from jurisdictions where regulatory standards and oversight are accepted and understood to be lesser than the accepted international standards required at all times in the Isle of Man.

2.  Ensuring that all relevant staff are trained and knowledgeable and that systems and processes are in place to enable the Operator to act in a timely manner to ensure reporting to the Financial Intelligence Unit which is integral to any effective regime that aims to counter ML, TF or PF risk. Operators with material shortcomings in these areas can expect to encounter robust regulatory measures.

3.  Whilst the Code provides certain flexibility to an Operator to operate on a risk-based approach, it is implicit that enhanced measures are  taken to mitigate risk when any ‘red flags’ are present.

4.  Compliance with the Code is mandatory. Reliance on any third party for any operational aspects of an Operator’s activities should be       subject to robust oversight and challenge in addition to appropriate assurance controls.

5. As noted in the Commission’s publicly available ‘enforcement strategy’ “holding a licence issued by the GSC imposes upon that licence holder a requirement and expectation that it seeks to achieve the highest standards of regulatory compliance, governance and risk management”.

6. The Commission, in regulating and supervising online gambling, will exercise its powers robustly if material risks to its regulatory objectives are identified in order to ensure that the Isle of Man retains its reputation as a responsible, and well regulated, Jurisdiction.