Featured Expert Contributor, White Collar Crime and Corporate Compliance
Gregory A. Brower is a Shareholder with Brownstein Hyatt Farber Schreck, LLP. He also serves on WLF’s Legal Policy Advisory Board and is a former U.S. Attorney and FBI senior executive.
Recent money laundering-related enforcement actions targeting casinos by both the U.S. Department of Justice (“DOJ”) and state regulators suggest increasing scrutiny of anti-money laundering (“AML”) compliance efforts within the gaming industry. Indeed, at an annual casino AML conference held in Las Vegas recently, presentations by several senior government officials included the same message: strict compliance with the requirements of the federal Bank Secrecy Act (“BSA”) is expected, failures to comply may lead to enforcement actions, and the penalties for noncompliance can be severe. But what exactly does the BSA require and how can gaming companies ensure that their BSA compliance programs can withstand scrutiny?
First, it is important to understand how the BSA applies to U.S. casinos and what it requires. Under federal law, U.S. casinos with annual gross gaming revenue of more than $1,000,000 are considered to be non-bank financial institutions and are therefore subject to the AML requirements of the BSA and related regulations. Basically, these requirements include the implementation of an AML program with the following component parts: (1) a written AML compliance program; (2) a system of internal controls; (3) internal and/or external independent testing for compliance; (4) training of casino personnel, including training in the identification of unusual or suspicious transactions; (5) designation of an individual or individuals to assure day-to-day compliance; (6) procedures for using all available information to identify customers and to file required reports; and (7) for casinos with automated data processing systems, the use of automated programs to aid in assuring compliance. Each of these requirements is discussed in more detail below.
Written AML Program. This should be a comprehensive document that is risk-based and clearly outlines the program basics, including the roles and responsibilities for AML compliance within the casino operation, requirements for AML training, the existence and functioning of the casino’s AML committee, the frequency of independent testing, and some of the basic policies covering a range of issues from front money deposits to third-party wires to law enforcement requests to the process for terminating customer relationships.
Internal Controls. Beyond basics that are clearly articulated in the casino’s AML program document, specific, written internal controls should exist and serve to guide the casino’s employees as they perform their daily functions. This is where the details concerning know your customer (“KYC”) practices, Currency Transactions Reports (“CTRs”), and Suspicious Activity Reports (“SARs”), and other required tasks should be set forth in detail for use by the various casino departments including the compliance team.
Independent Review. On a regular basis, key components of the casino’s BSA compliance program should be tested against internal controls to identify whether policies and procedures are being followed. While the casino’s internal audit function, assuming sufficient independence, can generally perform this function, an outside expert should be periodically engaged to conduct a comprehensive review of the program.
Training. Every casino employee whose job puts them in a position to, in any way, be relevant to the operation’s AML efforts must receive regular training. This training can be virtual or in-person but should be tailored to each person’s role and responsibilities and should be supplemented following certain events or developments that suggest the need for additional training. Any training program should include the c-suite and, in larger organizations, the company’s board of directors. In addition, certain subsets of employees, such as the casino customer representatives or “hosts,” may be identified for special training to focus on issues and scenarios that pose the most significant risks to the casino.
BSA Officer. Every casino subject to the BSA must designate a “BSA Officer” who is responsible for all BSA-related matters within the operation. The BSA Officer has responsibility for managing the team that does the daily BSA compliance work including customer vetting, the filing of SARs and CTRs, and other routine tasks. Beyond the day-to-day, the BSA Officer is also responsible for training, coordination with other departments within the casino, liaison with regulators and law enforcement, and ensuring that senior leadership knows and understands the details of the casino’s AML compliance program.
Using All Available Information. A subset of the internal-controls component discussed above, it is important that the internal controls that form the operational reality of the casino’s AML compliance efforts be designed in such a way as to be able to access and incorporate all available information. A casino’s AML program cannot be effective if information is siloed or not communicated internally thus allowing important decisions to be made without a complete picture of all the information available.
Automated Data and Automated Programs. The regulation’s last requirement simply means what it says. If a casino utilizes automated data, as virtually every modern casino operation does, then the casino must also utilize technology in the form of automated programs to be able to access and understand that automated data for BSA compliance purposes. More than anything else, this obligation essentially requires that adequate technology be incorporated into a casino’s AML efforts.
Beyond the requirements that the BSA and related regulations set forth, enforcement actions over time have revealed certain best practices to be more than “nice to have” components of any effective AML program. Thus, while not necessarily spelled out in the letter of the applicable law or regulations, the absence of the following compliance fundamentals will be noticeable to regulators if a casino’s AML program comes under scrutiny.
The Compliance Function Should be Independent. The precise definition of “independent” in this context will depend on the size of the casino and where it may fit into a larger corporate family structure. Regardless of these details, however, key AML decisions such as whether to file a SAR must be made independently and without regard to revenue concerns.
Risk Assessments Should be Regular and Detailed. For a casino’s AML program to succeed, it must be risk-based, and a casino must regularly engage in a comprehensive assessment of all money laundering risks it faces. Each assessment must identify these risks, evaluate them, rank them, and prescribe controls to eliminate or mitigate them. Recent enforcement actions have suggested that risk assessment is one of the most critical aspects of an effective BSA compliance program. Indeed, while not currently required, the Financial Crimes Enforcement Network (“FinCEN”) has proposed a new rule that would make such regular risk assessments a requirement.
Senior Management Should Take Their Oversight Role Seriously. Any casino large enough to be subject to the BSA’s requirements should establish an internal oversight structure that can assure senior leadership that the casino’s BSA compliance program is appropriately designed, adequately resourced, and is effectively functioning. Effective oversight of the BSA Officer can be performed by a sub-committee of the company’s board of directors or by an independent committee made up, in whole or in part, of people who are not company board members or executives. However it is structured, the key is that the casino’s AML efforts are regularly reviewed to include an assessment of the independent audit findings or other independent reviews of the BSA compliance performance.
Customer Barring Decisions Should Be Risk-Based and Documented. If anything is clear from recent BSA enforcement actions, it is that regulators are likely to second-guess a casino’s decision to allow a suspicious customer to wager. While the BSA itself does not require casinos to bar customers, the law does prohibit a casino from knowingly receiving the proceeds of illicit activities. To avoid the risk of violating that criminal prohibition, a casino should take a conservative approach and be quick to act if the facts appear to indicate that a customer’s source of funds is from illicit activities. Equally important is the need to carefully document the reasons why a customer who comes under scrutiny is ultimately not barred.
* * *
In summary, the potential repercussions of not maintaining an effective AML program to the point that the casino is violating the BSA can be major and may include civil fines, criminal prosecution, and significant collateral consequences affecting, most importantly, a casino’s ability to keep its license to operate. Recent enforcement actions, both federal and state, also serve as a reminder that not only is BSA compliance a current government priority, but that the cost of noncompliance is growing. Every casino subject to the BSA would be well advised to get out in front of potential noncompliance issues by reviewing its program considering the several key program requirements and best practices discussed above.