Order to Dreambox Games OÜ for breach of the Anti-Money Laundering Act

4. July 2024
Name of gambling operator
Dreambox Games OÜ

On 2 July 2024, the Danish Gambling Authority has issued an order to Dreambox Games OÜ (hereinafter Dreambox) for violating the rules on risk assessment in section 7(1) of the Danish Anti-Money Laundering Act.

Field of law
AML Act
Type of reaction
Order

The reaction was given in connection with the Danish Gambling Authority's inspection of Dreambox's written material that Dreambox has prepared to comply with the Danish Anti-Money Laundering Act's requirement that Dreambox must identify and assess the risk that Dreambox may be misused for money laundering and financing of terrorism.

The order is issued because Dreambox's risk assessment is inadequate. Firstly, because it contains an insufficient identification and assessment of risk factors associated with Dreambox's customers.  

Secondly, Dreambox's has failed to sufficiently identify and assess risk factors associated with Dreambox's products in their risk assessment, and it does not contain a separate assessment of the risk of the products themselves. 

Thirdly, the risk assessment fails to separately identify and assess the risk factors associated with Dreambox's payment solutions, and it does not contain a separate assessment of the risk of each individual payment solution. In addition, the risk assessment does not contain an identification and assessment of other relevant risk factors associated with Dreambox's transactions.

Finally, Dreambox's risk assessment is inadequate, as it contains an insufficient identification and assessment of other relevant risk factors associated with Dreambox's business model, including the risk of Dreambox's employees.

Section 7(1) of the Anti-Money Laundering Act states that companies subject to the Act must identify and assess risk factors associated with customers, products and transactions. 

It is the Danish Gambling Authority's assessment that when the gambling operator has assessed the individual risk factors associated with a specific product, the gambling operator must also assess the risk of the product itself based on the assessment of the individual risk factors. 
It is also the Danish Gambling Authority's assessment that the gambling operator's risk assessment should not only relate to the areas listed in the provision. The risk assessment must reflect and cover all parts of the gambling operator's business model. This means that the gambling operator, for example, must also identify and assess the inherent risk that may be associated with its organisation. In this connection, the gambling operator can identify and assess the risk of the gambling operator's own employees knowingly or unknowingly either contributing to or facilitating money laundering and terrorist financing through the gambling operator's business. 

Thus, Dreambox has not complied with the obligation of risk assessment in section 7 of the Anti-Money Laundering Act.

The Danish Gambling Authority assesses that an inadequate risk assessment may increase Dreambox's risk of being misused for money laundering. The purpose of the risk assessment is to provide the gambling operator with a useful tool that gives an overview and understanding of where and to what extent the gambling operator is exposed to being misused for money laundering or financing of terrorism, and what measures are necessary to limit the risks.

Duty to act

The order entails an obligation to act for Dreambox. Dreambox must no later than 2 September 2024 submit a revised risk assessment addressing the order.

Learning points

Gambling operators should ask themselves the following questions based on the breaches identified above in order to prevent being misused for money laundering and financing of terrorism:

  • Have we identified and assessed the risk of money laundering and financing of terrorism in all parts of our business model, including all customer types, products, payment solutions and organisational matters?
  • Have we separately risk assessed the individual identified risk factors included in the risk assessment? 
  • Have we risk assessed each payment solution and product separately?