Lottomart’s £360k UK settlement: a technical and governance audit trail for the whole market

Lottomart operator Maple International Ventures will pay a £360,000 regulatory settlement after a UKGC compliance assessment and section 116 review identified AML/CTF and safer-gambling failings. Beyond the divestment and costs, the public statement reads as a playbook: risk assessment tied to live threats, real-time hard-stops at KYC/CDD thresholds, machine-assisted harm actions, and evidence that fixes actually work. With mandatory deposit-limit prompts due 31 October 2025, this case signals where the bar now sits for controls, automation, and governance.

The UK Gambling Commission has agreed a £360,000 regulatory settlement with Maple International Ventures Ltd, operator of Lottomart.com, following findings of anti-money laundering (AML/CTF) and social responsibility failings identified during a June 2024 compliance assessment and a subsequent section 116 review. The settlement — which includes a £50,000 divestment and directs all funds to socially responsible causes — avoids a formal financial penalty but locks in a public statement of facts that offers a detailed roadmap of what the regulator now expects in practice.

The core failings (and why they matter)

Risk assessment not “appropriate”: Between June 2023 and July 2024, Maple’s ML/TF risk assessment omitted key vectors — for example organised crime gangs and mule accounts — and lacked adequate linkage to the Commission’s own risk assessment, AML guidance and emerging risks publications. In short, the documented assessment didn’t reflect the live threat model.

Controls design vs. implementation gap: Between May and October 2024, policies and controls were judged not appropriate and/or not effectively implemented. A headline example: a customer circumvented duplicate/linked account detection by re-ordering names; the duplicate was only caught the next day after significant deposits and losses — illustrating brittle match logic and delayed detection.

Timeliness and “hard-stops”: The Commission found time lags between identifying ML risk and taking action, allowing transactions beyond intended thresholds — e.g., customers not fully verified continuing above the CDD trigger. This underscores the regulator’s growing insistence on automated, real-time hard-stops at thresholds, not soft alerts.

Safer-gambling signal coverage: Under SRCP 3.4.3, the operator’s indicator set was insufficient for detecting ‘binges’, ‘spikes’, overnight play, and post-big-win high staking; in addition, “strong indicators of harm” were not well-defined and no associated automated actions were configured. The Commission’s direction of travel is clear: identify → act → evaluate must be machine-assisted, explicit, and testable. See the formal guidance and Requirement 1 explainer.

The rulebook references

The public statement cites breaches of LCCP 12.1.1 (1)-(3) (risk assessment, appropriate controls, effective implementation) and SRCP 3.4.3 subsections (1), (4), (5 a–d), (11) (effective monitoring from account opening; using a range of harm indicators; and acting promptly, including automated actions with meaningful human review). For operators, those references are not just citations, they are checklist headers for internal audits.

Penalty calculus: aggravation and mitigation

The Commission flagged aggravation where Maple knew customers could pass financial thresholds before full CDD but only implemented an effective fix after discussions during the assessment — and reminded the market it has previously issued public statements on similar issues. Mitigation included an unblemished regulatory history, swift remedial action plan, full cooperation, and early acceptance of failings.The settlement also includes payment towards the Commission’s investigation costs — a standard feature in many cases.

The Commission’s Director of Enforcement, John Pierce, framed the outcome succinctly: “The cornerstone of every licensed business must be the proper implementation of effective policies and procedures aimed at making gambling crime free and safer.” The call-to-action: read the public statement and pressure-test your own controls.

Company and licensing context

Maple International Ventures is Gibraltar-based (Europort, GX11 1AA) and trades as Lottomart in GB under account 51833, with active domains lottomart.com / lottomart.co.uk / lottomart.app. It is licensed by the Gibraltar Gambling Commissioner (RGL 109 & 110) and by the UKGC for GB operations.

Why this case is instructive for senior leaders

Data engineering > policy prose. The UKGC’s findings centre on system behaviour, not just policy documents. Duplicate-account logic, string-matching robustness (name permutations, multi-ID joins), and real-time event processing for thresholds are now board-level risk items. If your dedupe relies on a few exact fields, you are inviting failure.

Automate the “act” in identify-act-evaluate. The statement explicitly faults the lack of automated actions for strong harm indicators. Translate every red-flag into a deterministic control: hard-stops at KYC/CDD thresholds; session interruption on binge/spike signals; friction post unusual wins; and manual review to validate/override with audit trails. (See SRCP 3.4.3 and formal guidance.)

Prepare for the 31 October 2025 deposit-limit prompt. New rules and RTS updates will standardise friction across the market and elevate expectations around customer-led tools, surfacing UX and analytics debt. Governance, product, and data teams should align on copy, UI placement, telemetry, and six-month reminders now — don’t wait for day-one compliance.

Evidence of learning matters. The mitigation Maple received (clean history, early acceptance, cooperation, action plan) shows that transparent remediation influences outcomes.

Documentation of fixes (design docs, control testing, model performance reviews) is not a formality — it’s part of your defence file. See the Good practice checklist at the end of the statement.

Practical control enhancements to consider (now)

Duplicate/linked account detection 2.0: Move from deterministic, single-field matching to multi-feature fuzzy/entity resolution (name order/spacing, device/browser fingerprints, payment instrument features, IP/ASN clustering, geo-velocity). Add daily back-solve to catch evasion post-hoc and auto-lock for investigation.

Thresholds as hard-stops: Enforce KYC/CDD gating at the event stream level; publish SLAs for risk-to-action latency (e.g., <60s from trigger). Gate higher-risk payment methods until CDD complete.

Harm signal coverage: Ensure your indicator library explicitly includes binges, spend spikes, overnight patterns, post-big-win high-staking, net-loss acceleration, reversed withdrawals, and session intensity. Map each to automated interventions (interruptions, limit raises denied, cooling-off), plus post-interaction evaluation. (Cross-check against SRCP 3.4.3 and the formal guidance.)

Model governance: If you use algorithms for harm detection, document feature selection, alert thresholds, bias/recall trade-offs, and A/B impact on false negatives. The UKGC explicitly asks how you chose flag levels and how you test efficacy. (See Requirement 1.)

Risk assessment lifecycle: Tie your ML/TF risk assessment to current Commission publications: Emerging risks (Apr 2025), the 2023 ML/TF Risk Assessment and GC Risk Assessment 2023 notice, plus HMT’s National Risk Assessment 2025/PDF. Version it, review at least annually, and on product, payment, or demographic changes.

This is not a “mega-fine,” but it’s a dense signal about the Commission’s priorities: operational execution of controls, automation of harm responses, and real-time gating at AML thresholds. With the deposit-limit prompt obligation from 31 October 2025, senior leaders should treat Lottomart’s statement as a pre-mortem template for their own estates: audit the match logic, codify hard-stops, formalise automated actions, and evidence the learning loop.