UKGC Customer Interaction Code: Eight Mandatory Indicator Categories and the Evidence Licensees Must Hold

Social Responsibility Code Provision 3.4.3 of the Licence Conditions and Codes of Practice (LCCP) imposes a binding, outcome-focused customer interaction obligation on all remote licensees in Great Britain. The core text took force on 12 September 2022. The requirement to take into account the Commission’s formal guidance, and the guidance itself, became mandatory on 31 October 2023. The result is a two-layer structure: the LCCP sets the minimum standards, and the Commission’s Customer Interaction Guidance for Remote Gambling Licensees (published June 2022, last updated 30 August 2023) specifies how those standards must be met in practice. Neither layer is optional. A licensee that complies with the LCCP text but ignores the formal guidance is non-compliant.

Scope: Which Licences Are Caught

SR Code 3.4.3 applies to all remote licences with a defined set of exceptions. Those excluded are: remote lottery licences where the holder does not provide facilities for instant win or high frequency lotteries, remote gaming machine technical licences, gambling software licences, host licences, ancillary remote bingo licences, ancillary remote casino licences, ancillary remote betting licences, remote betting intermediary (trading rooms only) licences, and remote general betting limited licences. Every other remote operating licence is within scope. Licensees holding multiple licence types must map each licence type against the scope clause individually. Where a third-party B2B provider handles any aspect of the licensed activity, the licensee remains fully responsible for ensuring its customer interaction systems and processes are in place and functioning for that account.

The Three-Part Framework: Identify, Act, Evaluate

Paragraph 1 of SR Code 3.4.3 states that licensees must implement effective customer interaction systems and processes that embed three elements: identify, act, and evaluate. This is not a phased sequence. The Commission treats customer interaction as an ongoing process, and the obligation runs continuously from the moment a customer account is opened. The formal guidance structures its requirements into four sections: Section A (general requirements), Section B (identify), Section C (act), and Section D (evaluate). Sections B through D correspond directly to the three LCCP elements and contain 12 of the guidance’s 14 numbered requirements. Compliance with one section does not excuse gaps in another. The Commission’s enforcement casework makes clear that it tests all three elements in every review.

What Are the Eight Mandatory Indicator Categories?

The most operationally important question for a compliance team is: what must the monitoring system actually watch for?

Paragraph 5 of SR Code 3.4.3 sets out seven specific sub-categories of indicators that licensees must monitor as a minimum. These are, as lettered in the LCCP: (a) changes in patterns of spend, (b) time spent gambling, (c) gambling frequency, (d) chasing losses, (e) use of responsible gambling tools, (f) the use of multiple accounts with the same licensee, and (g) additional information provided to the licensee by the customer or from other sources. The formal guidance adds an eighth mandatory category through its treatment of vulnerability under Section B, which requires licensees to take into account the Commission’s separate guidance on vulnerability and to have systems that identify customers who may be experiencing, or at risk of experiencing, harms associated with gambling as a result of their personal circumstances.

“Licensees must implement effective customer interaction systems and processes in a way which minimises the risk of customers experiencing harms associated with gambling. These systems and processes must embed the three elements of customer interaction: identify, act and evaluate, and which reflect that customer interaction is an ongoing process.” Source: UKGC, LCCP SR Code 3.4.3, paragraph 1.

The list in paragraph 5 is a minimum floor. Licensees are not restricted to these seven LCCP indicators and the vulnerability category. A licensee that monitors only those eight and ignores material behavioural signals it actually possesses, for example explicit communications from a customer about financial distress, would still be failing the overarching obligation in paragraph 1. Paragraph 5(g) partially addresses this by requiring systems to pick up “additional information provided by the customer or from other sources,” but the Commission’s guidance is clear that a comprehensive, risk-proportionate approach to marker identification is expected rather than a box-check against a minimum list.

Timeliness: A Hard Obligation, Not a Target

Paragraph 7 of SR Code 3.4.3 provides that a licensee’s systems and processes must flag indicators of risk of harm in a timely manner for manual intervention, and feed into automated processes as required by paragraph 11. Paragraph 8 adds that licensees must take appropriate action in a timely manner when they have identified the risk of harm. Both paragraphs use “must.” These are code obligations, not best-practice aspirations.

What constitutes timeliness is not defined in the LCCP by a fixed number of hours, and the Commission’s guidance does not specify a universal clock. The enforcement record is instructive. In the Paddy Power Betfair case, the Commission found that one customer deposited £12,000 across 15 days before the account was identified for review. Another deposited £25,000 over 25 days before any interaction occurred. A third lost £12,300 in five weeks before being flagged. A fourth staked £86,000 across 16 days, losing £6,000, with no manual review taking place at any point during that period despite the velocity of spend. A fifth customer engaged in sessions lasting up to seven hours and 46 minutes, placing over 300 bets amounting to £20,000 in a single session, and was only identified after hitting a loss threshold. The Commission treated all of these as failures of timeliness. Paddy Power Betfair agreed to pay £2 million in settlement across four licensed entities trading under the Paddy Power and Betfair brands, announced in December 2025.

The practical implication is that compliance teams cannot rely on retrospective monthly reviews to satisfy paragraph 7. Systems must be capable of detecting threshold-crossing behaviour as it occurs, or within a period short enough to permit meaningful intervention before substantial harm accrues.

Automated Processes: When Automation Is Mandatory

Paragraph 11 of SR Code 3.4.3 addresses automated processes directly. Licensees must have automated processes that, without human intervention, prevent or mitigate harm in defined circumstances. The Commission’s guidance under Section C (Act) specifies that automated processes are required for strong indicators of harm, meaning that where a licensee classifies an indicator as strong, a purely manual review queue is insufficient. The automation requirement operates as a minimum floor for the highest-risk signals. The guidance does not prohibit human review alongside automation, but does prohibit a system architecture that routes strong indicators through manual review only.

Paragraph 4 of SR Code 3.4.3 requires licensees to have and put into effect policies and procedures on whether a given proportionate-action decision should be taken manually, fully automatically (with the opportunity for customer-requested manual review where action is automated), or through a combination. The policies and procedures must also address when immediate action is necessary to limit harm where significant risk is identified. These two requirements together mean that licensees cannot design their interaction architecture ad hoc. The decision logic must be documented in advance, reviewed periodically, and capable of being produced to the Commission.

Proportionate Action: The Escalation Structure

Paragraph 9 of SR Code 3.4.3 requires licensees to tailor the type of action taken based on the number and level of indicators of harm exhibited. The LCCP sets out five components this must include, though the list is not exhaustive: tailored action at lower levels of indicators seeking to minimise future harm, increasing action where earlier stages have not had the required impact, strong or stronger action as the immediate next step in cases where that is appropriate rather than gradual escalation, reducing or preventing marketing or the take-up of new bonus offers where appropriate, and ending the business relationship where necessary.

The reference to ending the business relationship is significant. LCCP 3.4.3 does not treat account closure as a last resort arrived at only after exhausting every lesser option. Where indicators are sufficiently strong, the Commission expects licensees to move directly to strong action without working through an escalation ladder. This mirrors the guidance on automated processes: the design of the system must include the capacity to act immediately when the risk warrants it.

Paragraph 10, which took force on 12 February 2023, prohibits licensees from sending direct marketing to a customer who has indicated that they are experiencing gambling-related harm. That prohibition applies whether the indication came through the customer’s own statement, through a responsible gambling tool interaction, or through the licensee’s harm detection systems identifying the customer as at risk.

The Evidence Obligation: What the Commission Will Request

Paragraph 12 of SR Code 3.4.3 requires licensees to evaluate the impact of customer interactions and be able to demonstrate to the Commission the outcomes of that evaluation. Paragraph 13 requires licensees to keep a record of the action taken in response to every indicator flagged, including the rationale for the decision on proportionate action. Read together, these two paragraphs create a dual evidence obligation: an outcome-level evaluation record, and an individual decision record for each flagged customer.

“The Commission’s casework and lived experience evidence shows that operators are not setting thresholds for action at appropriate levels, and that they are not taking appropriate action or acting quickly enough when they do identify risk of potential harm.” Source: Gambling Commission, LCCP Consultation Response, 2022.

In practice, the Commission expects licensees to hold the following categories of documented evidence: the policies and procedures on indicator monitoring, threshold-setting rationale, action-type decision logic, and marketing restriction triggers, individual customer records showing when each indicator was flagged, what action was taken, when action was taken, and what the outcome was, evaluation outputs showing the aggregate effectiveness of the interaction programme, including comparison against the problem gambling rates for the relevant gambling activity published by the Commission, and records of any adjustments made to the programme as a result of that evaluation. Paragraph 14 of SR Code 3.4.3 requires licensees to take account of the Commission’s published problem gambling rates for the relevant activity in order to check whether the number of customer interactions is at minimum in line with that level.

The evaluation obligation is not a one-time exercise. The Commission treats it as a continuous improvement loop embedded in the three-element framework. A licensee that evaluates once at implementation and makes no subsequent adjustments will not satisfy the requirement regardless of how thorough the initial evaluation was.

Enforcement Signals: What Failures Cost

The two most instructive recent settlements both involved combined social responsibility and AML failures, with the customer interaction element central in each. In the Paddy Power Betfair settlement of December 2025, the specific failures included interaction thresholds set too high, excessive time elapsed between harm indicators being present and the account being reviewed, a failure to conduct any manual review despite high-velocity spend, and reliance on a single loss-based trigger when multiple behavioural indicators were visible. The settlement was £2 million across four licensed entities trading under the Paddy Power and Betfair brands, as published in the Commission’s enforcement outcome.

According to iGaming Business, in October 2025 the operator of Unibet’s bingo brand was fined £10 million by the Gambling Commission, with social responsibility failures including customer interaction shortcomings forming part of the basis for the sanction alongside significant AML failings. The scale of that penalty underscores that the Commission does not treat customer interaction as a secondary concern to AML. Both frameworks attract enforcement attention of comparable severity.

The pattern across the Commission’s enforcement record is consistent: licensees that configure their interaction systems around loss-only triggers without monitoring the full range of paragraph 5 indicators, or that set thresholds at levels that allow thousands of pounds of deposits before review is triggered, are the most frequent subjects of regulatory action. The Commission’s own consultation record confirms that “operators are not setting thresholds for action at appropriate levels” was a core driver of the 2022 LCCP strengthening.

Intersection with Financial Vulnerability Checks

SR Code 3.4.4 (financial vulnerability checks) operates alongside 3.4.3 but is a separate obligation. From 28 February 2025, the relevant threshold for a financial vulnerability check is where a customer’s deposits minus withdrawals exceed £150 in a rolling 30-day period. The financial vulnerability check uses publicly available data, for example bankruptcy registers, to assess potential financial harm. It is distinct from the financial risk assessment, which uses credit reference agency data and applies at higher-spend levels. Both checks feed information back into the licensee’s broader customer interaction system under 3.4.3: paragraph 3 of SR Code 3.4.3 requires licensees to take into account any information indicating that a customer may be experiencing vulnerability, including information obtained through financial checks.

Compliance teams must ensure their system architecture treats the financial check outputs as inputs to the 3.4.3 monitoring system, not as standalone processes. A licensee that conducts a financial vulnerability check, receives an indicator of potential vulnerability, and does not route that output through the customer interaction evaluation and action framework has a process gap that is visible during Commission inspection.

What to Check in Your Compliance Programme

Compliance officers reviewing their programmes against SR Code 3.4.3 should confirm the following across their systems and documentation. The monitoring system must cover all eight mandatory indicator categories, including the specific seven sub-categories in paragraph 5(a-g) and the vulnerability category drawn from the Commission’s formal guidance. Automated processes must be in place for strong indicators, with the classification of indicators as strong, moderate, or lower documented in policies and procedures. Thresholds must be set at levels calibrated to the problem gambling rates for the relevant gambling activity, not to commercial optimisation objectives. Action taken in response to flagged indicators must be recorded individually, with the rationale for the proportionate-action decision documented at the point of decision. The evaluation cycle must produce written outputs that compare aggregate interaction volumes against the Commission’s published problem gambling rates, and those outputs must drive programme adjustments where gaps are identified. Marketing suppression must operate as a mandatory output of the identification step for customers where the harm risk threshold has been reached.

Operators holding remote licences across multiple jurisdictions should consult qualified legal counsel on how the UKGC’s SR Code 3.4.3 framework interacts with equivalent player protection obligations in other regulated markets, particularly where platform architecture is shared across jurisdictions. For a detailed look at LCCP cost and structural obligations in the context of the broader UK licensing framework, the UKGC vs MGA licence cost analysis provides a rigorous comparison of what each framework demands. Compliance professionals responsible for responsible gambling programmes across multiple regulated markets will find the Responsible Gambling Observatory a useful reference for cross-jurisdiction RG control comparison.

Key Resources

UK Gambling Commission, LCCP SR Code Provision 3.4.3 (Remote Customer Interaction): the primary legal text, available at gamblingcommission.gov.uk. Core provisions in force from 12 September 2022, guidance-reference and guidance-content obligations in force from 31 October 2023.

Customer Interaction Guidance for Remote Gambling Licensees (Formal Guidance under SR Code 3.4.3): published 20 June 2022, last updated 30 August 2023, available at gamblingcommission.gov.uk. Structured in four sections (A-D) across 14 numbered requirements. Licensees must take this guidance into account under paragraph 2 of SR Code 3.4.3.

Gambling Commission, The Commission’s Approach to Vulnerability: formal guidance referenced in the customer interaction guidance, available at gamblingcommission.gov.uk. Defines how vulnerability is identified and how it interacts with the identify-act-evaluate framework.

UKGC Enforcement Outcomes: the Commission publishes full enforcement outcomes, including settlement details, at gamblingcommission.gov.uk. The Paddy Power Betfair (December 2025) and Unibet (October 2025) outcomes provide detailed accounts of the specific customer interaction failings that triggered regulatory action.