Tumas Gaming has been slapped with a €233,000 fine after an investigation by the Financial Intelligence and Analysis Unit found it had failed to implement measures to address major threats to their money laundering supervision.
Tumas Gaming operates the gaming division within Tumas Group, including the Oracle Casino, the Portomaso Casino, Portomaso Gaming and gaming shops.
The FIAU found that Tumas Gaming Limited had breached money laundering regulations by, among others, failing to conduct proper risk assessments of the risks it was exposed to, particularly in relation to its players.
The second inspection was carried out after it became known that former Malta Gaming Authority CEO Heathcliff Farrugia allegedly colluded with Daphne Caruana Galizia murder suspect Yorgen Fenech to try to prevent the publication of findings of an inspection revealing weak anti-money laundering controls at the Tumas Gaming casinos.
Fenech was, at the time, Tumas Gaming’s CEO and the casinos were the subjects of a joint compliance inspection by the FIAU and MGA in 2018 to ensure their adherence with laws designed to prevent money laundering.
‘Complete failure to establish source of funds’
In the latest investigation, inspectors found several breaches of these laws, including a “complete failure” to establish the source of funds and wealth of customers.
The unit found that the company’s business risk assessment should have been “adequate” for the identification of threats and vulnerabilities the business is exposed to.
It said the company’s assessment listed an inventory of threats or vulnerabilities without determining the exposure to them and how these risks would impact the company should they materialise.
In addition, the company’s risk assessment was solely assessed on customer risk, being only one of the main four pillars of risk.
“The company failed to identify and risk assess elements relating to geography, interface and products including funding methods.
“It also did not identify the controls implemented by the company to mitigate the respective risks. It also did not take into consideration the extent of untraced cash drops and the repercussions of possibly being unable to trace the cash activity to a particular player and possible collusion with customers,” the FIAU said in its report.
It said that although the company explained that it had measures in place to mitigate the risk of untraced cash, this was not considered to be adequate as the slot attendant may not always be able to identify the related players.
In addition, the risk assessment failed to identify measures that would mitigate the risk of a player leaving a positive balance on a slot machine with the following player continuing the game with that positive balance. As a result, the company remained exposed to the possibility of collusion between players to convert cash and create layers of transactions.
The FIAU said that during the compliance review, it was identified that the company is exposed to nationals or residents of non-EU or EEA countries, including Saudi Arabia, Russia, Singapore, Libya, Bangladesh, China, Serbia, Turkey, Philippines, Yemen, Dubai, Pakistan, Ghana and Kuwait. It said the company had not analysed the money laundering risks arising from such jurisdictions and the extent of the company’s exposure to these risks.
FIAU officials also noted that the customer risk assessments sampled did not present the correct image of the risk factors which contributed to the overall risk rating of the customer. This hindered the company’s ability to effectively understand the type of controls necessary to counter the risk observed, the FIAU said.
Despite the fact that the company had internal policies and procedures in place for the identification and verification of players, the findings of the onsite examination indicated that the company did not comply and fully implement these procedures in 22% of the sample of player profiles reviewed, also in breach of financial regulations.
It found that there were a number of instances when the company failed to complete address verification and allowed the customer to enter the casino multiple times after reaching the €2,000 threshold.
The FIAU found that although the company’s policies and procedures included a general reference to the circumstances that would require taking enhanced due diligence, the procedures were generic and not comprehensive. Most of them focused on obtaining verification documents or validating the customer’s residential address.
It was also observed that although the company was in possession of a judgment by the Maltese courts against a player for failing to declare amounts in excess of €10,000 at the airport, it allowed the player to deposit €416,457 at the cash desk and drop €309,370 on live tables during the business relationship.
Although the player completed the company’s enhanced due diligence form in August 2018, indicating that he is a marketing consultant, no additional checks and evidence were obtained to corroborate the information.
Moreover, another player deposited €407,805 at one of the cash desks during a six-day period in January 2020 and dropped €212,650 throughout the business relationship. The unit said the company fell short of corroborating the player’s statement with evidence to substantiate both his gaming winnings and his income.
The FIAU also found deficiencies in the company’s assessment of politically exposed people.