FARO^™ MLRO

1. Recap

The alert concerns an individual player of a Malta remote-gaming operator. The player opened an account on 25 March, registered from a Ghana IP address, deposited USD 500, played approximately 1,000 slot spins, and later topped up a further USD 2,500. The current balance is around USD 150, but the relevant AML/CFT trigger is the customer’s cumulative deposit activity, not the remaining balance.

The documents and facts provided so far do not fully clear the case. The customer appears to have a Kenya ID document, Nigerian address evidence and an older Italy-linked payslip. Payment-method ownership, PSP/deposit-route information, sanctions/PEP/adverse-media screening and a clear link between the payslip and the gaming deposits are still missing.

2. Practical Outcome

Do not release withdrawals or treat the account as cleared until the CDD/CRA position has been completed. On the facts provided, the USD 500 plus USD 2,500 deposit pattern should be tested against the operator’s approved EUR 2,000 remote-gaming threshold methodology, including the applicable conversion approach and aggregation period.

Crossing the threshold does not automatically mean that an STR must be filed. However, this is also not a clean routine-threshold case. The Ghana IP, Kenya ID, Nigerian address, Italy-linked payslip and missing payment-ownership trail create unresolved customer, geographical, interface and source-of-funds questions. The case should remain under CDD/EDD review, withdrawals should remain blocked, and the matter should be escalated to the MLRO or senior compliance reviewer if the inconsistencies are not resolved through reliable evidence.

3. Legal Basis

According to the PMLFTR, S.L. 373.01, Regulation 2, the operator must first determine whether it is acting as a subject person and whether the player is a customer in a business relationship or is carrying out an occasional transaction. Because the user is a Malta remote-gaming operator and the facts concern a player account, the AML/CFT obligations are determined by the PMLFTR, the FIAU Implementing Procedures Part I, and the FIAU Implementing Procedures Part II for the Remote Gaming Sector.

According to PMLFTR Regulation 2 and Regulation 9(1), casino and gaming licensees must apply customer due diligence where the relevant gaming threshold is met. The remote-gaming sectoral procedures then explain how the EUR 2,000 deposit threshold is to be operationalised for player activity. The relevant question is therefore not whether the remaining balance is around USD 150, but whether customer deposits, either singly or cumulatively under the operator’s methodology, have reached or exceeded the EUR 2,000 trigger.

According to PMLFTR Regulation 7, the operator must apply customer due diligence measures. In this case that means identifying and verifying the customer, establishing the customer’s business and risk profile, understanding the purpose and intended nature of the account relationship in the gaming context, applying ongoing monitoring, and keeping the customer information and documents up to date. The customer-supplied ID document, utility bill and payslip should therefore be treated as evidence to be assessed and verified, not as verified facts merely because they were uploaded.

According to PMLFTR Regulation 8 and the FIAU Implementing Procedures, where required CDD cannot be completed, the operator must not simply proceed as normal. The relationship, transaction or withdrawal handling must be restricted or refused as required, and the case must be assessed for possible reporting. In the remote-gaming context, the sectoral procedures specifically support continued account control pending CDD while restricting withdrawals until the required CDD position is completed.

According to PMLFTR Regulation 11 and FIAU Implementing Procedures Part I Chapter 4.9, enhanced due diligence is required where higher-risk circumstances are present. The relevant risk drivers here are not one isolated fact, but the combined pattern: registration from a Ghana IP address, Kenya identity evidence, Nigerian address evidence, an Italy-linked payslip, an unexplained USD 2,500 top-up, and no confirmed payment-method ownership or screening results. Those facts require enhanced review unless they are satisfactorily explained and verified.

According to FIAU Implementing Procedures Part II for the Remote Gaming Sector, the operator should assess customer risk, geographical risk, product/service/transaction risk, interface risk and payment-method risk. The same source also requires attention to document reliability, non-face-to-face onboarding controls, IP/geolocation information, customer source of wealth/source of funds, threshold monitoring, player behaviour and remote-gaming red flags. These are the relevant sector-specific sections for this case, especially the sections dealing with customer identification, customer risk assessment, the EUR 2,000 deposit threshold, withdrawal restrictions pending CDD, inability to complete CDD, and internal escalation or suspicious transaction reporting.

According to PMLFTR Regulation 15 and FIAU Implementing Procedures Part I Chapter 5, if the operator knows, suspects, or has reasonable grounds to suspect money laundering or funding of terrorism, the matter must be reported through the internal reporting channel and, where appropriate, externally to the FIAU. According to PMLFTR Regulation 16 and the corresponding FIAU guidance on tipping off, customer communications must be handled carefully so that the customer is not alerted to any internal report, STR consideration or FIAU-related process.

According to PMLFTR Regulation 13 and FIAU Implementing Procedures Part I Chapter 9, the operator must retain the CDD material, transaction information, internal review rationale, any internal report, any decision not to report, and the evidence supporting the decision. The case note should therefore record both the facts relied on and the facts still missing.

4. Roadmap

First, confirm the threshold calculation. Convert the USD deposits into EUR using the operator’s approved methodology and record whether the USD 500 plus USD 2,500 deposits trigger the EUR 2,000 remote-gaming CDD threshold.

Second, keep withdrawals blocked until the CDD/CRA position is resolved or an authorised compliance reviewer decides otherwise.

Third, verify the identity document and proof of address through reliable and independent means. Do not treat the Kenya ID or Nigerian utility bill as sufficient until authenticity, customer linkage and residential-address reliability have been checked.

Fourth, resolve the jurisdictional pattern. Record why the registration IP is Ghana, why the identity evidence is Kenyan, why the address evidence is Nigerian, and why the source-of-funds document is Italy-linked.

Fifth, obtain payment-method ownership and PSP/deposit-route evidence. The file should show whether the deposits came from a payment instrument or account in the customer’s own name and from which country or provider.

Sixth, complete sanctions, PEP and adverse-media screening and record the outcome.

Seventh, obtain stronger source-of-funds evidence. One older payslip is not enough by itself unless it can be linked to the actual deposits, for example through bank statements or payment records showing salary receipt and onward funding of the gaming account.

Eighth, update the customer risk assessment. Decide whether the remaining facts support standard CDD completion, enhanced due diligence, rejection, account restriction, or MLRO escalation.

Ninth, escalate to the MLRO if the customer does not provide the missing evidence, if the documents cannot be verified, if the jurisdictional explanation remains incoherent, or if the transaction pattern appears inconsistent with the customer’s profile.

Tenth, keep the customer communication neutral. Ask for CDD and payment-verification information without referring to STR consideration, suspicion, FIAU reporting or internal escalation.