New AGA anti-money laundering guidance raises the bar for casino compliance programs
On December 9, 2019, the American Gaming Association (AGA) issued an update to its Best Practices for Anti-Money Laundering Compliance.
This is a significant update since the guidance’s last issuance in 2017, as it provides additional guidance to help the gaming industry better prevent and detect money laundering and other financial crimes.
The AGA’s 2019-2020 guidance brings the gaming industry anti-money laundering (AML) compliance requirements and expectations more in-line with prevailing AML practices used by the financial services industry. Changes of note in the new guidance include:
• A strong culture of compliance is expected. While the 2017 guidance encouraged a strong tone at the top for AML programs, the new guidance makes clear that casino leaders and board members are expected to have active, ongoing participation in and receive communication about AML compliance efforts. While leadership participation and communication can occur directly or indirectly, through the board’s audit or compliance committee, the expectation for deep leadership involvement in AML programs is clear. The guidance points out that casino boards and C-suites may want to request frequent updates from compliance and internal audit staff on AML program components including: “regulatory developments, changes to the program, resources and audit findings by regulators and by other independent compliance reviews.”
The guidance also reinforces that the Bank Secrecy Act officer or AML officer, and AML compliance function should have appropriate authority and resources to assist the casino with risk management. In addition, a casino should also consider the following as it establishes its routine AML compliance status reporting to the board and senior management: trends in the casino’s risk profile, significant policy breaches, status of remediation efforts, sufficiency of staffing, compliance resourcing, overall budgeting, and training completion statistics.
• Using third parties isn’t a workaround on compliance. The legalization of sports betting and online (interactive) gambling in some states has been a major regulatory change since the issuance of AGA’s 2017 guidance. As emerging forms of gaming are introduced, the 2019-2020 guidance stresses that the use of third parties does not eliminate a casino’s responsibilities for Bank Secrecy Act and AML compliance. In short, casino third parties need to maintain the level of compliance the casino demands. When casinos engage third parties, contracts with those vendors must clearly specify the engaged vendors’ responsibilities around anti-money laundering, while also allowing the casino to periodically test and monitor the effectiveness of the vendors’ AML processes.
Among the vendor processes casinos may want to look into is know your customer (KYC) programs, which should disclose the origin and owner of funds used for betting—particularly in emerging gaming forms like online gaming and sports betting, as well as transaction monitoring. In addition, casinos that engage in third-party relationships should consider developing a third-party risk management framework (e.g., patron verification, sanctions screening, transaction monitoring services) that includes third-party due diligence and risk assessments, use of established service level agreements, outlining roles and responsibilities of the various parties, as well as reporting to senior leadership and/or board of directors on such vendor agreements.
• Risk assessments should be conducted annually, if not more frequently. In 2017, there was relatively little guidance regarding conducting risk assessments. In the AGA’s new 2019-2020 guidance, casinos are encouraged to conduct at least annual AML risk assessments to identify customers and transactions that pose potentially higher levels of money laundering risk, the results of which should be presented regularly to casino leadership for review and approval.
In addition, casinos should ensure that inherent risks and mitigating controls are to be assessed separately and should be independent from each other in order to arrive at the underlying residual risk, when conducting their risk assessments. Further, the risk assessment should provide coverage and consider risks specific to the casino’s unique gaming operations including: patron gaming profiles; gaming and financial services offered; and geographic concerns, including casino and patron proximity to known drug trafficking areas.
The overall methodology used to conduct an AML risk assessment needs to be clearly and comprehensively documented such that a third party (e.g., regulator) can readily determine how the risk factors and mitigating controls were identified and assessed. And risk assessment results should be used by casino senior leadership and compliance professionals on an ongoing basis to hone programs and use information around new or trending risks identified to adopt effective measures or controls to mitigate them.
• Casinos are expected to know their customers. While the 2017 AGA guidance included consideration of customer due diligence and enhanced due diligence, the 2019-2020 AGA guidance clearly states the importance of an implemented KYC program. The required elements of a KYC program should include patron identification and verification, including ongoing and enhanced due diligence.
Beyond AGA guidance, casino leadership would also be wise to keep an eye on FinCEN’s customer due diligence rule, which can be found at www.fincen.gov. While it does not currently apply to casinos, FinCEN’s customer due diligence rule makes clear that the regulators are expecting financial institutions they regulate to establish and maintain written policies and procedures that are reasonably designed to identify and verify the identity of its beneficial owners—or the underlying transactional parties making transactions. To see how this relates to casinos, for example, a gaming operator could be used as a conduit by bad actors who conceal their identities through front money accounts in efforts to launder money. In addition, casinos should ensure that they have adequate processes and controls in place to assist with the identification of their patrons’ source of funds, especially for high rollers that have high cash gaming activity, and foreign nationals whose identity and source of funds may be difficult to verify.
• It’s time to start nurturing your relationships with law enforcement even more. The AGA’s 2017 guidance included commentary on the various requests that law enforcement can make of casinos. However, the 2019-2020 guidance strongly encourages casinos to forge effective working partnerships with law enforcement. To better support training and development efforts, for example, a guest speaker from a regulatory body explaining Bank Secrecy Act requirements and regulatory expectations to casino employees may strike a deeper cord than internal leaders giving similar presentations. In addition, regular interaction with law enforcement can also be a source of valuable information to both casino leadership and regulators regarding emerging money laundering risk and typologies.
Casinos should understand and support the coordination and collaboration with law enforcement, such that it “allows disparate bits of information to be identified, centralized and rapidly evaluated.” Further, the receipt of a law enforcement request including subpoenas should be used as an indicator for a casino to review patron gaming and transactional activity.
In conclusion, the 2019-2020 guidance is a significant step in advancing AML programs for the gaming industry. The 2019-2020 update contains expanded guidance that brings the gaming industry more in line with prevailing AML practices of the financial services industry and should be considered when developing, implementing and evaluating AML programs, and overall compliance framework.