A Guide to Technology Risk Assessments

20th September 2023

By Kirsty Knight, Senior Compliance Manager & Operations Manager (AML Services)

Licensees who are regulated by the Isle of Man Gambling Supervision Commission (the “GSC”) under the Online Gambling Regulations Act 2001 (“OGRA”) are expected to uphold the core principles of ensuring the gambling industry is kept crime free, protects the young and those considered at risk, and to ensure player protection through fair services and that players receive their true winnings.

In this regard, the Isle of Man Gambling (Anti Money Laundering and Financing of Terrorism) Code 2019 (“the Code”) sets out the responsibilities and expectations of licensed entities to prevent their operations being subject to money laundering and terrorist financing risks. Within this Code, Paragraph 7 covers the requirement for the business to conduct technology risk assessments.

A Technology Risk Assessment (“TRA”) is an assessment that estimates the risk of money laundering (ML), or terrorist financing (TF) posed by technology used by a business. It allows the business to acknowledge the risks posed and demonstrate the mitigations and controls in place to reduce any identified risks.

When should a TRA be conducted?

In accordance with the Code, a TRA should ideally be carried out prior to the introduction, or launch, of a new technology within the business. However, given the challenges, this may not always be possible and therefore the Code does allow for the assessment to be undertaken as soon as reasonably practicable after commencing business.

The following scenarios would result in a Technology Risk Assessment being required.

AG new product launchA new product being launched or implemented could include the following: 
  • Adding a new PEP/Sanctions provider
  • Adding an IDV screening service
  • Adding a new Payment Service Provider

AG new business systems A new business practice or delivery method using new delivery systems could include the following: 
  • A new CRM system
  • A new back-office system

AG new technology The use of new or developing technologies for both new and pre-existing products could include the following: 
  • The use of AI
  • The use of cryptocurrencies as a payment method
  • The use of transaction monitoring

AG hacking and data protection Consideration should also be given to non-AML/CFT matters such as the risk of hacking or data protection issues

The TRA’s should be recorded in a TRA Register and reviewed on a regular basis to ensure this is kept up to date.

TRA Top Tips

The following list is our top tips for conducting a successful TRA: 

  • Use your TRA register as a tool for review. Ensure there is a date by which the original TRA should be reviewed. This ensures that you are always capturing relevant and current risks. For example, if reviewing a Payment Service Provider, you may originally have only been utilising them for one or two jurisdictions but when the review period comes around there are more, and this may change the risk rating of the TRA.
  • Add a risk rating to your TRA. This allows you to ascertain if the technology is low/medium or high risk. If the technology is high risk but is still required, we would recommend the next top tip being implemented.
  • If the technology is high risk, we would recommend obtaining senior management or Board approval as well as documenting the mitigations and controls that are in place to manage the risks presented.
  • The Money Laundering Reporting Officer (“MLRO”) should add their own narrative as to why they deem the technology beneficial to the business and any mitigations or controls around risk areas identified.
  • Utilise the Code as the “skeleton” of your TRA to ensure that all aspects have been addressed and considered.
  • Ensure that the TRA is not isolated from your other risk assessments such as your Business Risk Assessment and Customer Risk Assessment. The risk assessments should all be intrinsically linked to ensure that they are aligned where appropriate and feed into one another.
  • Develop over time a “bank” of TRA skeletons to utilise going forward for technology that you frequently add to or change. This can include Payment Service Providers, Back Office Systems, Document Storage,  AML/CFT related systems.

Learn More

The GSC have published guidance in the form of their AML/CFT Guidance for Operators 2020. This provides operators with an overview of the policy and guidance on key considerations and methods of implementation.

At Amber Gaming, we understand what it’s like to carry the weight of operating in such a heavily regulated industry. If you would like to receive further guidance, support, or training regarding TRA’s, feel free to get in touch with our expert team via our Contact Us page.