January 27, 2024

  • Tomás E García Bottas, Partner, MF Estudio, Argentina

Full revamp of Argentina’s AML/CFT regulations now applicable to the gambling sector

LAST OVERHAULED AFTER A CRITICAL FATF EVALUATION IN 2010, ARGENTINA IS DETERMINED TO IMPROVE ITS FINANCIAL CONTROLS AND NOW GAMBLING IS COVERED

Introduction

After more than ten years, the Financial Information Unit (“UIF” after its acronym in Spanish) has updated the Anti-money Laundering (AML) regulations applicable to gaming. Resolution UIF N° 194/2023 (the “Resolution”) is a complete overhaul of the previous rules established by means of Resolution UIF N° 199/2011. With certain exceptions as described in detail in this article (due in 2024, 2025 or 2026, as applicable), the Resolution entered into force on December 1, 2023.

This article will address the main changes the Resolution has brought to the industry and the actions that should be taken to remain compliant. Please keep in mind that unlike gaming and gambling, AML/CFT regulations fall under the competence of the Argentine Federal Government.  For this reason, the Resolution is applicable nationwide.

The Resolution in brief

The clock is always ticking so, for readers (like me) with limited time, we have listed below the major changes incorporated by the Resolution. These outline the requirements now placed on those organisations covered by the new Resolution (“Obligated Entities”)The section following includes additional comments on each of these items.

  • Application of a risk-based approach to the AML/FT procedures of the Obligated Entities.
  • New definitions for Customers depending on the Obligated Entity:
    • Customers in brick and mortar operations: any player who (i) collects a prize; (ii) exchanges chips/cash; for a value equal or greater to 15 Minimum, Vital, and Mobile Wages (MVMW)[1]
    • Customers in online gaming operations: any person who enters (registers on) the operator’s website.
  • Broadened scope of obligated entities. The scope of legal structures that can be considered as Obligated Entities is increased, now including Joint Ventures.
  • Obligated Entities must now identify AML/FT risks (the analysis must take into account at least customer, product, distribution channel, and geographical location risks).
  • The Resolution stipulates different KYC measures to be adopted based on the risk given to each player. The Resolution also requires KYC measures to be adopted in connection with directors, managers, employees and collaborators of the Obligated Entities (whether they are hired by the Obligated Entity or by a third party).
  • Obligated Entities must issue a Self-Assessment Report. This report shall be submitted before the UIF before April 30 of the corresponding calendar year or when there’s a change in the Obligated Entity’s risk level and be updated every two (2) years. The first submission of this document shall be submitted before April 30, 2026, and shall assess the operations of 2024 and 2025.
  • Obligated Entities shall issue a Risk Tolerance Declaration. This declaration shall be submitted before UIF with the Self-Assessment Report before April 30 of the corresponding calendar year or when there’s a change in the Obligated Entity’s risk level and be updated every two years. The first submission of this document shall be submitted before April 30, 2026, and shall assess the operations of 2024 and 2025.
  • Obligated Entities must appoint an AML Compliance Officer and a Deputy AML Compliance Officer.
  • Obligated Entities must carry out an Internal Audit and an Independent External Review. The Independent External Review must be submitted before the UIF within one hundred and twenty (120) days from the date of submission of the Self-Assessment Report. The first deadline for this submission is before August 31, 2026, and shall assess the operations of the years 2024 and 2025.
  • Obligated Entities must have an annual training plan to instruct their staff on the current regulatory rules on AML/CFT for all employees. The Resolution provides the minimum contents the training should cover.
  • Obligated Entities shall now comply with the Annual Systematic Report (“ASR”). The first ASR must be submitted between January 2 and March 15, 2025.

The Resolution in detail

The Resolution is structured into seven chapters addressing (i) its purpose and general definitions (articles 1 and 2); (ii) the AML/CFT system (articles 3 to 21), with a Part I related to risks (articles 4 to 7) and a Part II related to risk mitigation; (iii) due diligence measures (articles 22 to 34); (iv) monitoring, analysis, and reporting (articles 35 to 39); (v)  information schemes (article 40); (vi) penalties (section 41); and (vii) temporary provisions (articles 42 to 44).

In the following sections we describe those aspects that we consider relevant within each of these chapters of the Resolution, including some comments on the situation prior to its enactment and the new scenario.

  • 1. Purpose and General Definitions

The key changes brought by the Resolution are, in our view, the switch to a risk based approach and the incorporation of online gambling into the AML/CFT regulations.

It is also worth noting that the Resolution has brought to light the situation of contractual joint ventures under the AML/CFT regulations. Under section 1442 of the Argentine Civil and Commercial Code, contractual joint ventures are not considered legal entities. Considering this, while Resolution (UIF) No. 199/2011[2] was in force, it was disputed whether contractual joint ventures should be treated as Obligated Entities or not. Under section 2(r) of the Resolution, contractual joint ventures are now regarded as Obligated Entities[3].

  • 2. AML/CFT system: risks and risk mitigation

The Resolution requires Obligated Entities to issue a risk tolerance declaration (article 6) as well as a risk self-assessment technical report (article 5). The risk self-assessment report should consider at least the following risk factors (article 6):

  1. ML/FT risks related to Customer background, activity, behavior, volume, or materiality of transactions at the beginning of and during the entire commercial relationship, and considering at least the following elements: residence, nationality, business, and politically exposed person condition.
  2. ML/FT risks related to products and/or services offered by Obligated Entities, both during the design or development stage as well as during their effective operation.
  3. ML/FT risks related to the different means and/or modalities of placing bets, collecting prizes, making withdrawals and purchases, and/or converting valuables at venues where the customer is physically present, online games, use of devices for the conduct of remote transactions, gambling activities or transactions, among others.
  4. ML/FT risks related to the geographic areas where products and/or services are offered at the national and international level, taking into account economic-financial and social-demographic characteristics and the provisions and guidelines issued by the competent authorities or the Financial Action Task Force with respect to such jurisdictions.

The risk self-assessment technical report needs to be updated every 2 years, unless a change in the risk level of the Obligated Entity occurs in a shorter period of time, and should be filed with the UIF along with the methodology used and the risk tolerance declaration on or before April 30 of the year when the filings are due.  The initial deadline is April 30, 2026[4].

Obligated Entities now need to appoint a deputy AML compliance officer (article 11). Furthermore, it is required that UIF be informed whenever the deputy AML compliance officer replaces the AML compliance officer.  This communication must be submitted to UIF no later than 24 hours following the replacement of the AML compliance officer, and should also include the reasons for the replacement and the term during which the deputy AML compliance officer will be in office.

The removal of the AML compliance officer must also be reported to the UIF, and the appointment of a new AML compliance officer and deputy AML compliance officer should occur no later than 15 days following the removal of the previous officers.

The Resolution now provides for the appointment of a single AML compliance officer and deputy AML compliance officer for entities that are part of the same group (article 13). For the purposes of the Resolution, a group is two or more Obligated Entities included in section 20 of Law No. 25,246 sharing a control relationship or belonging to the same business and/or corporate organization (article 2(f)). It is worth noting that the appointment of a group AML compliance officer and deputy AML compliance officer does not avoid the obligation to report at the level of each Obligated Entity. In other words, entities that are part of a Group will still need to report individually even if they have appointed a single AML compliance officer and deputy AML compliance officer. From this perspective, the convenience of appointing a group AML compliance officer and deputy AML compliance officer appears to be limited at the very least.

Obligated Entities relying on third party services to perform KYC and due diligence measures on customers (article 16). In this case, the Obligated Entities, to be able to rely on third parties, must ensure (i) to immediately obtain the information necessary referred to in the paragraph above; (ii) to implement proper measures to ensure that the third party shall supply, whenever so requested and without delay, a copy of identification data and other relevant documents; (iii) to ensure that the third party abides by the rules and is subject to supervision as to the requirements relating to due diligence and record keeping; and has implemented any such measures as may be required to ensure compliance with this obligation; (iv) to document that the Obligated Entity depends on such a third party; and (v) to establish any such measures as may be required to ensure the protection of personal data and compliance with the duty of confidentiality all in conformity with the specific applicable laws. Reliance on third parties does not preclude the Obligated Entities’ liability for complying with KYC and due diligence on customers.

The term for record keeping remains ten years (article 17).  The Resolution allows documents to be kept in digital format and be specially protected against unauthorized access and a backup thereof shall be kept in digital format as well.

The obligation to conduct annual training courses for personnel is retained (article 18). The Resolution brought some changes, namely:

  • stipulating that the contents of the training should be defined considering their exposure to ML/FT risks as per their duties and/or tasks; and
  • the obligation that any newcomers receive training no later than 60 business days following the date of their engagement.

As for the minimum contents of the training courses, the Resolution stipulates that these should include the following: a) Definition of ML/FT crimes; b) National laws and international standards on AML/CFT; c) ML/FT System policies, procedures, and controls implemented by the Reporting Party, their proper implementation for ML/FT risk management and mitigation purposes, making emphasis on specific issues such as Due Diligence; d) ML/FT risks to which the Reporting Party is exposed as per its own risk self-assessment technical report, the National ML/FT Risk Assessments, as updated, and other documents identifying any such sector-related risks as may be relevant; e) Any ML/FT trends and typologies detected by the Reporting Party as well as those informed by the UIF, the FATF, or the Financial Action Task Force for Latin America (GAFILAT); f) Any red flags and controls to detect Unusual Transactions and procedures for the detection and communication of Suspicious Transactions, with emphasis on the duty of confidentiality relating to the report; and g) Roles and responsibilities of the AML/CFT staff of the Reporting Party.

The Resolution stipulates that the Obligated Entities must implement a two-tier assessment of the AML/CFT system (article 19). On the one side, an independent external review shall be entrusted to an independent external reviewer, who shall issue a biennial report on the Obligated Entities’ AML/CFT System quality and effectiveness, and shall communicate the results electronically to the UIF within 120 calendar days from the expiration of the term established for the submission of the self-assessment. On the other hand, the Obligated Entities must perform an internal audit that must include AML/CFT System-relating areas in its annual programs.

Finally, the Resolution now caters for KYC of directors, managers, employees, and own and outsourced collaborators and UBOs of the Obligated Entities (article 21). At the time of recruitment or hiring, and following the engagement between the parties, the the Obligated Entities shall verify the Public Register of Individuals and Entities Linked to Acts of Terrorism and their Financing (RePET) to determine whether the directors, managers, employees, and collaborators are included therein.

  • 3. Due diligence measures

Adequate KYC of customers is a prerequisite to doing business with an Obligated Entity.  Any failure to identify Customers as per the provisions set forth in this Chapter shall be understood as an impediment to commencing or maintaining business relations and/or collecting prizes, converting valuables and/or exchanging chips for money, as may be applicable (article 22). Furthermore, if a Customer refuses to provide any information and/or documentation requested or does not have such information and/or documentation, prize collection, value conversion, and/or exchange chips for money shall be pending until the above is complied with.

In the case of brick and mortar venues, KYC will be triggered at the time of collecting prizes, converting valuables, and/or exchanging chips for money, when the transaction is equal to at least 15 Minimum, Vital, and Mobile Wages (MVMW)[5]. In the case of online gaming, KYC will be triggered upon registration. The Resolution allows e-KYC (article 23) and requires that a copy of the customer’s ID is kept as part of the KYC process (article 22).

Customers may be rated as (i) low risk; (ii) medium risk; and (iii) high risk[6] (article 25). The rating shall determine the applicability of simplified due diligence measures, medium due diligence measures, or enhanced due diligence measures.

Simplified due diligence is described above. Low risk customer files should be updated at least every five years.

Medium due diligence implies an additional layer of information to be requested from customers: the execution of an affidavit relating to their business activity and source of income and/or funds. The Obligated Entities must verify that the information furnished by the customer is consistent with that gathered from reliable public or private sources. Medium risk customer files should be updated every three years.

Enhanced due diligence implies an additional layer of documentation to be required from customers and/or obtained from reliable private or public sources, which is in addition to simplified and medium due diligence measures. Under enhanced due diligence, the Obligated Entities should evidence the source of income and/or funds of high-risk customers. Obligated Entities shall also adopt measures to verify possible past records relating to ML/FT activities and penalties applied by the UIF and/or any other competent authority in this field. According to the Resolution, the foreign PEP condition of a customer, as well as their business relations or transactions relating to countries, jurisdictions, or territories included in the lists of high-risk countries, jurisdictions, or territories, subject to a call to action as provided by the FATF, shall be considered higher risk customers.

  • 4. Monitoring, analysis, and reporting

The Resolution stipulates that customer profiles shall be defined on the basis of the information relating to the customers’ transactions, amounts, and, in general, any knowledge the Obligated Entities may have about a customer, his or her specific characteristics, labor, business or professional activity, and risk profile, as per the information and documentation gathered from the customer and other reliable private or public sources in conformity with the due diligence processes applicable in each case (article 35). Furthermore, the customer profile shall be defined on the basis of the risk analysis conducted by the Obligated Entities in such a way as to enable the proper detection of Unusual Transactions and Suspicious Transactions conducted by the customer.

Furthermore, Obligated Entities must perform a continuous monitoring of the customers transactions, ensuring that any and all transactions are consistent with the Obligated Entities’ knowledge of the customer, the customer profile, and risk level (article 36). To this extent, Obligated Entities shall put in place (i) automatic red flags and transaction control rules to ensure that all transactions conform to the customer’s profile and risk level; and (ii) physical, video, or electronic surveillance mechanisms, where applicable.

In order to establish red flags and controls, Obligated Entities shall take in consideration both their own experience in the industry as well as the National ML/FT Risk Assessments, their updates, other documents published or disclosed by competent public authorities identifying industry-related risks and risks identified by the Obligated Entities. The standards applied to monitoring systems implemented shall be confidential except for those parties that take part in the monitoring, control, revision, design, and programming thereof as well as those individuals that provide assistance in furtherance of compliance thereof. The methodology to determine monitoring rules and standards shall be documented.

The Resolution includes specific provisions applicable to unusual transactions and the way these should be handled and recorded (article 38). The record of unusual transactions shall include, at least, the following: (i) customer full name and surname, and associated risk level; (ii) customer profile; (iii) identification of the operation and/or transaction (product and amount); (iv) date, time, and origin of the red flag or any other system to identify the transaction to be analyzed; (v) type of unusual conduct or operation (description); (vi) reviewing analyst; (vii) measures implemented for red flag resolution purposes; (viii) date and final grounded decision. A documentary support of this record should be kept in accordance with the provisions of the Resolutions.

Regarding suspicious transaction reports (STRs), the Resolution maintains the rules that were in force prior to its enacting. STRs should be filed (i) within 15 calendar days as from the date on which the Obligated Entity concludes that the operation should be considered suspicious; and no later than 150 calendar days as from the date of actual or attempted performance of the money laundering suspicious transaction. In the event of a FT suspicious transaction, the term to report it to UIF is reduced to 48 hours as of the actual or attempted transaction.

  • 5. Information schemes and penalties

Along with the Monthly Systematic Report[7] the Resolution also provides that an Annual Systematic Report must be filed between January 2 and March 15. This Annual Systematic Report report must include the following:

  • general information (company name, address, activity, AML/CFT Compliance Officer);
  • corporate organizational structure / information;
  • accounting information (revenue by activity);
  • business information (products/services/distribution channels/geographic area); and
  • information about types and number of customers

On the topic of penalties, those included provided by Chapter IV of Law No. 25,246, or any such other rules as may amend, supplement, or replace them in the future, shall be of application (article 41).

Important upcoming deadlines

As mentioned above, the Resolution is in effect as of December 1, 2023. Notwithstanding this, there are some special provisions governing the entry into force of some of the new obligations incorporated by the Resolution. These specific deadlines are listed below.

  • March 1, 2024: deadline to implement the KYC and due diligence measures to online gaming customers[8].
  • January 2, 2025 to March 15, 2025: deadline to file the first Annual Systematic Report, which shall cover the period 2024.
  • ​​April 30, 2026: deadline to file the Self-Assessment Report and the applied methodology covering periods 2024 and 2025. The risk tolerance declaration should also be filed on or before this date.
  • August 31, 2026: deadline to file the initial independent external review covering periods 2024 and 2025

[1] The value of the MVMW for the purpose of these thresholds are those determined for the month of June and December of each year. As of December 31, 2023, the threshold is ARS 2,340,000 (approximately USD 2,869).

[2] The AML/CFT regulations applicable to the gambling sector prior to the enactment of the Resolution.

[3] The question on the capacity of an administrative resolution to expand the scope of application of a law, as section 20(3) of Law 25,246 only refers to human and legal entities, remains. Notwithstanding this, it is now clear that the UIF will require contractual joint ventures to enroll as Obligated Entities.

[4] The initial self-assessment should comprise years 2024 and 2025.

[5] The value of the MVMW for the purpose of these thresholds are those determined for the month of June and December of each year. As of December 31, 2023, the threshold is ARS 2,340,000 (approximately US$2,869).

[6] As per the Resolution (article 25), the following cases shall entail a higher ML/FT risk: (a) customers from countries, jurisdictions, or territories in connection with which the Argentine Republic has raised concerns about the weaknesses of their ML/FT systems and has implemented specific risk mitigation measures based on a higher risk; (b) with respect to business relations with individuals from countries identified by reliable sources as providers of financing or support for terrorism activities, or which have specific terrorist organizations operating within their country; (c) with respect to business relations with individuals from countries, jurisdictions, or territories subject to penalties, embargoes, or similar measures applied by international agencies, such as, for instance, the United Nations organization; and (d) with respect to the business relations and transactions related with individuals from countries and jurisdictions being intensively monitored in conformity with the rules issued by the FATF.

[7] Referring to transactions equal to or exceeding an amount equivalent to 15 MVMW.

[8] All player files should be complete by this date if the operator wishes to keep on doing business with the customer in question.