An AML/CFT Guide to Ongoing Monitoring

12th March 2024

by Sean Moffatt, Senior Manager & MLRO

Ongoing Monitoring is a requirement under FATF Recommendation 10. This includes a requirement for businesses to conduct Ongoing Due Diligence including scrutiny of transactions to ensure consistency with their knowledge of the customer. This requirement is embedded into each regulators AML/CFT Section 15 of the GSC’s Gambling (Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (“the Code”) details the requirements for Isle of Man licensees.

On the blog, we explore what, when and how Ongoing Monitoring is conducted and why it will benefit your business and the market as a whole.

What is Ongoing Monitoring?

Ongoing monitoring process involves collecting and analysing data from various sources such as transaction records, customer profiles, and external databases. This data is then evaluated against predefined risk indicators and patterns to identify any unusual or suspicious activity. Ongoing Monitoring involves performing (at risk based intervals) a review of policies, procedures and testing of their implementation to ensure they are:

  1. Accurate and reflective of current business activities
  2. Appropriate for the risk associated with your operations
  3. Effectively implemented to manage the risk within the licence holders risk appetite

Reviewed at least annually by senior stakeholders, i.e. the Board of Directors (where necessary)

What sort of things does the Code mean?

The Code details that “appropriate scrutiny of transactions and other activities to ensure that they are consistent with –

  1. the operator’s knowledge of the customer, the customer’s business and risk profile and source of funds for the transaction;
  2. the business risk assessment carried out under paragraph 6 (business risk assessment);
  3. any relevant technology risk assessment carried out under paragraph 7 (technology risk assessment); and
  4. the customer risk assessment carried out under paragraph 8 (customer risk assessment).”

    Transaction Monitoring

    Transaction monitoring is the process of monitoring a customer's transactions such as transfers, deposits and withdrawals. Transaction monitoring will seek to identify suspicious behaviour which could indicate money laundering or other financial crime occurring and therefore it is critically important that there are systems in place to monitor and detect activity that deviates from the norm, and where unusual activity cannot be reasonably explained, it is important that any suspicion is reported. Such monitoring is even more important when dealing with a transaction or relationship that poses a higher risk of ML/PF/TF and therefore it is important that Customer Risk Assessments are ongoing to and risk based thresholds/triggers are in place ensure that the appropriate level of scrutiny in terms of customer activity is performed.

    When performing such monitoring, it is important to ensure that decision making is consistent with: -

    1. Your knowledge of the customer, the customer’s business and risk profile and source of funds for the transaction.
    2. The Business Risk Assessment (“BRA”) carried out.
    3. Any relevant Technology Risk Assessment (“TRA”) carried out; and
    4. The Customer Risk Assessment (“CRA”) carried out.


Ongoing Screening

Political Exposed Persons (PEPs) are high-risk individuals, including government officials and political party members, due to their increased opportunities for acquiring assets through illegal means such as bribery and money laundering. Therefore, PEPs must be identified and screened in financial institutions because of their risks. Identifying PEPs and determining their risks is generally referred to as PEP List Screening. It is an essential screening for the best implementation of AML compliance programs, especially in financial institutions.

Sanction List checks are a critical aspect of compliance for businesses today. Financial crimes such as money launderingproliferation financing, fraud and terrorist financing are constantly evolving and pose a significant risk to businesses of all sizes. With the rapid development of technology, financial crimes have become more sophisticated and diverse, making it challenging for businesses to detect and prevent them and therefore it is critical that licence holders not only screen customers for sanctions risk, but third parties too, and ensure that appropriate jurisdictional blocks are in place and effective.

Policies and Procedures

On an annual basis, or as a result of a risk trigger, operators must ensure that their policies and procedures not only reflect the regulatory obligations, but are reflective of the current activities, and due consideration by the Board of Directors in terms of key policies and risk assessments (including the AML/CPF/CFT Policy and BRA) must be evidenced.

Ongoing Effectiveness Testing

To ensure the effectiveness of policies and procedures it is important to periodically test their implementation and effectiveness. Most notably for B2C operators, dip sampling of customer accounts is an essential element of ongoing monitoring. Dip sampling should look to ensure that onboarding, CDD and EDD procedures have been followed effectively, and that necessary scrutiny, assessments and decision-making (which may include a SAR) has been made in accordance with the timelines detailed. Where deficiencies are noted and unusual activity is detected, transaction monitoring thresholds and triggers should be reassessed as this may indicate that they are not calibrated appropriately.

What happens if my Ongoing Monitoring identifies unusual activity, PEP’s or Sanctions?

If you identify unusual activity while undertaking Ongoing Monitoring, you must review and scrutinise the activity at the earliest opportunity. This is likely to involve you utilising your Enhanced Due Diligence (“EDD”) Policy and Procedure. For example, if you are uncertain about the customer’s Source of Funds (“SOF”) and affordability you may choose to request payslips for the month(s) in which the spending took place. If this is not forthcoming or the information provided adds to your initial concern, you should then consider filing an Internal Disclosure (Suspicious Activity Report “SAR”) and escalating to the MLRO so that they can determine if onward reporting the local FIU is required.

When is Ongoing Monitoring required?

How often you undertake Ongoing Monitoring should be a risk-based decision. When determining how often to review a customer you should review the relevant risk assessments i.e., customer and BRA. The recommendation is that if there is a greater risk, the frequency of the reviews should be more frequent.

How is Ongoing Monitoring undertaken?

Ongoing Monitoring can be done manually but often when considering Transaction Monitoring it is more efficient and effective to utilise technology. Whichever technology you decide upon you must ensure that a TRA is undertaken before the technology goes live in your business. Additionally, you should ensure that people who have a solid awareness of the business are involved in the integration so that they can ensure all applicable rules and thresholds are “switched on” so that customers flag for review at the appropriate times. Similarly, it should have the capability for the reviewer to document the review, what steps were undertaken and what the outcome was of the review.

The Benefits of Ongoing Monitoring

  1. Ongoing Monitoring will allow you to allocate your resources and focus your attention on the areas of the business or customers who pose the greatest risk.
  2. It enables you to monitor and control your exposure to unusual or suspicious behaviour and therefore report in a timely manner.
  3. Once the behaviour, product or customer has been identified it will enable you to review and adapt your controls or risk appetite to prevent any similar issues from occurring.
  4. Policies and procedures can be reviewed at the earliest opportunity because of the findings of Ongoing Monitoring to ensure they are accurate and relevant to the risks posed.
  5. The findings of the Ongoing Monitoring can then filter up to the Board level as well as out and throughout by way of staff training to ensure that the staff are aware of red flags and typologies relevant to their business.


Learn more

To sum it up, ongoing monitoring in the context of Anti-Money Laundering (AML) is crucial for gaming operators and software developers to detect risks, ensure compliance with evolving regulations and safeguard their reputation.

Amber Gaming is a specialist gaming consultancy business providing multi-jurisdictional licensing, regulatory compliance advice and professional support to clients across all areas of the gaming industry.

We also provide specialist training (both online and face-to-face) through our Compliance Academy for roles related to these functions.

If you are interested in learning more about ongoing monitoring or discussing your licensing or training requirements, please feel free to reach out to us via the Contact Us form.