Gambling Commission Announces New Changes

The Gambling Commission has published its overdue response to its Summer 2023 Consultation (Response), which confirms the forthcoming regulatory changes which operators will have to implement in the coming months. Here we summarise the Response  and focus on the range of regulatory changes that will now follow. We will provide more detailed analysis of the new measures, and the Financial Risk Checks in particular, in due course. 

Our UK Gambling Reform hub provides all the latest information on developments following the White Paper’s publication and key timings, as well as our analysis and insights. 


Following the publication of the White Paper in April 2023, the Gambling Commission ran a consultation on various proposals between 26 July and 18 October 2023 (Consultation). The Consultation included several notable proposals on direct marketing, remote game design and financial risk checks, the latter of which we reported on earlier this year following the Gambling Commission’s announcement that a pilot programme for financial risk checks would be launched. 

Financial Risk Checks

Light touch vulnerability checks

The Response confirms that light touch ‘vulnerability checks’ will be introduced for customers with a net deposit of £500 in a rolling 30 day period from 30 August 2024, with this threshold reducing to £150 from 28 February 2025. This staged approach is to give operators who do not already carry out these checks sufficient time to implement the checks with a smaller group of customers, before the checks are carried out more broadly. 

These light touch vulnerability checks will be introduced by a new Social Responsibility Code provision, which will require operators to use public record information to check for ‘significant indicators of potential vulnerability’, including whether a customer is subject to a bankruptcy order, county court judgment, individual voluntary arrangement or Debt Relief Order.  Operators must consider the information obtained, alongside any other information they know about the customer and are permitted to use, in order to assess risk. 

Ultimately, operators must take proportionate action to address any indicators of harm, in accordance with the existing customer interaction Social Responsibility Code provision 3.4.3.
These thresholds are different to those proposed in the White Paper, which were to conduct light touch vulnerability checks on customers meeting the following criteria:

  • a £125 net loss within a 30-day rolling period; or
  • a £500 net loss within a 365-day rolling period.

The Commission’s decision to drop the requirement for a rolling 12 month threshold is as a result of the data demonstrating that only a very small number of people are likely to trigger the annual threshold without having previously triggered the 30 day threshold. The Commission therefore felt it would be disproportionate to implement the additional threshold. It is encouraging to see the Commission acting in this way on the basis of the evidence, as they have promised the industry they will. The same applies to the Commission’s decision not to require operators to take into account personal information such as job titles and postcodes as part of these checks. 

Overall, we think this requirement is likely to be well received by the industry, as many operators are already carrying out these checks in some form and they should be ‘frictionless’ for customers. The Consultation also confirms that, given the speed at which these checks can be carried out, there is no need for operators to suspend a customer’s activity pending the outcome of the check.  

Enhanced financial risk assessments

The Response confirms that enhanced financial risk assessments for customers spending larger amounts will not be rolled out until a pilot programme to analyse data sharing has been undertaken. The pilot will commence on 31 August 2024 and will last for 6 months unless the Commission decides to extend the end date to the end of April 2025. Again, it has been reassuring to see the Commission follow through on the assurance given to the industry in the White Paper that these checks will not be implemented until this can be done in a way that is ‘frictionless’ for customers (or at least the vast majority of customers). 

Notably, the Commission has decided that only large operators in the highest 3 bands of licence fee (J1, K1 and L1) will be required to participate in the pilot, though volunteer operators from outside these bands are also sought. The threshold levels which will be relevant have not yet been confirmed, meaning flexibility has been introduced into the amendments to the SR Code, allowing the Gambling Commission the opportunity to alter the thresholds throughout the pilot. 

Enhanced financial risk assessments will be rolled out in the live environment if the pilot confirms it is possible to implement these checks in a frictionless manner, but in any event these checks will not enter the live environment before 2025. 

The Commission has confirmed that the pilot will not have any impact on customers, and operators will not be required to act on the data (although this does not, of course, absolve participant operators from their obligations in respect of customer interaction). 

Notably, whilst the pilot will not result in a requirement to undertake the enhanced financial risk assessments until 2025 at the earliest, the Betting and Gaming Council (BGC) has published its Industry Voluntary Code on Customer Checks and Documentation Requests Based on Spend (BGC Industry Code).  This BGC Industry Code has been developed jointly by the BGC members and the Gambling Commission, and is intended to bring some consistency across the sector until the enhanced financial risk checks are introduced. 

The BGC Industry Code sets out what actions a BGC member must take when customers wish to make net deposits of more than: 

  • £5,000 in a rolling month; and 
  • £25,000 in a rolling 12-month period. 

We will provide separate, more in depth analysis of the BGC Industry Code and its interaction with the financial risk checks, but it is worth noting that these figures are a substantial departure from the Commission’s previous position, which (whether they admitted it publicly or not) required operators to assess affordability at levels much closer to £500 than £5,000. 

Game Design

Multiple changes to remote game design rules will come into force on 17 January 2025. As addressed in the Consultation, the changes will consist of extensions to the rules currently applying to slots products so that they apply other online gambling products. The changes include the following:

  1. Bans on player-led 'spin stop' features on all casino products
  2. Introducing a 5 second minimum spin speed for all casino games (excluding peer-to-peer poker and slots, the later of which is already subject to a 2.5 second minimum speed)
  3. Prohibitions on autoplay for all online gaming products (including bingo)
  4. Extending the prohibition on celebrating ‘false wins’ (i.e. wins less than or equal to stake) to all casino products
  5. Prohibiting simultaneous play functionality across all casino games (excluding peer to peer poker)
  6. Requiring operators to display elapsed time and net positions on all casino products (excluding peer to peer poker)

Additionally, section 4 of the RTS has been updated to amend the security audit requirements. From 31 October 2024, audits must be certified in line with the 2022 updated to ISO 27001.  

Direct Marketing

The Consultation proposed to introduce a new Social Responsibility Code (SR 5.1.12) which would require operators to afford customers more discretion over their marketing preferences. Ultimately, the focus was to ensure customers do not receive direct marketing contravening their channel or product preferences, and this is the objective of the Response as well.

The Response indicates that the proposals in the Consultation will be implemented from 17 January 2025. However, there have been some notable departures from the Consultation proposals including:

  • lotteries being removed from the list of product categories, so that only betting, casino and bingo, as applicable, must be included in product options; 
  • post and push notifications being removed from the list of channel categories, so that only calls, emails and SMS as applicable must be included in the channel options; and
  • the fact operators will not be required to stop marketing to customers who have not set marketing preferences in line with the proposed product options.

Whilst operators will not be required to stop marketing to customers who have not yet set their marketing preferences, they will need to require the customer to reconfirm their marketing preferences where these have not been set on a customer’s first login after 17 January 2025 . All options will need to be unticked so that the customer is making a conscious choice.

Age verification in premises

As proposed in the Consultation, land-based exemptions regarding age verification test purchasing will be removed for category A and B licensees. These changes will come into effect on 30 August 2024 and all relevant premises will need to be tested by 31 March 2025.

Additionally, the proposal to introduce a ‘Think 25’ policy approach to age verification, as proposed in the Consultation, will be implemented. This will come into effect on 30 August 2024.


The Gambling Commission Response indicates multiple changes to LCCP 1.2.1 will be implemented, including:

  • clarifying that a CEO, Managing Director or equivalent must hold a PML; and
  • extending the PML requirements to:
    • the Chair of the board, though this will only apply to chairs appointed for fixed or indeterminate terms of office, not transient or short term appointments for individual meetings; and
    • individuals responsible for anti-money laundering compliance.


Operators need to review these changes carefully and, where they are applicable, achieve compliance by the relevant date. On the whole, we anticipate that the industry is unlikely to be too surprised by the contents of the Response, and there have been some reassuring indications that the Commission has (finally) listened and taken into account some of the responses to the Consultation. The real test, however, will be how the Commission conducts the pilot for enhanced financial risk checks, the result of which won’t be known for some time. 

Industry comment on these changes is likely to be significant in the coming weeks and we will continue to provide more detailed updates on these changes. In the meantime, operators should bear in mind the changes which apply to them, and the dates by which compliance needs to be achieved. We have set out a checklist below for ease of reference:


Latest insights

More Insights
Curiosity line blue background

China Cybersecurity: MIIT Releases Data Security Risk Assessment Rules

Jun 24 2024

Read More
card reader and receipt

Open banking rules and GDPR interplay revisited under the EC’s Payment Services Legislation Proposals

Jun 24 2024

Read More
Generative AI

The FCA publishes its expectations of UK financial services firms adopting or deploying the use of AI

Jun 24 2024

Read More