AMA Details Components of a Strong AML/BSA Program
Earlier this month, the American Gaming Association (“AGA”) released an updated Best Practices for Anti-Money Laundering (“AML”) Compliance (“Best Practices Guidance”) reflecting a heightened focus on risk assessment as well as Know Your Customer/Customer Due Diligence measures for the gaming industry. This update amends the industry’s first set of comprehensive best practices for AML compliance, issued in 2014. At the time, the best practices were well-received by the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”). These updated Best Practices have drawn from recent FinCEN guidance and enforcement actions, Treasury Department’s National Money Laundering Risk Assessment, and the Office of Foreign Assets Control’s updated compliance guidelines and provide detailed guidance regarding how the industry can continue to be “a leader in compliance.”
The Elements of an AML/BSA Compliance Program
At the outset, the Best Practices Guidance states that “to safeguard the integrity of the casino industry and the U.S. Financial System, casino companies have developed effective risk-based programs….” Indeed, the Best Practices Guidance underscores the need for casinos to maintain a strong culture of compliance by allocating substantial employee time to AML compliance. This includes:
- Establishing internal controls and policies and procedures to assure ongoing compliance
- Ensuring independent testing of an AML program at a scope and frequency that matches current risk assessment
- Training personnel in, among other things, the identification of unusual financial transactions and aggregation of currency transactions
- Designating an individual responsible for assuring day-to-day AML compliance
- Providing adequate resources to compliance functions
The Best Practices Guidance further notes that casinos may find it valuable to participate in FinCEN’s voluntary information-sharing program. We focus here on a couple areas of note in the Best Practices Guidance: the Risk Assessment, Employee Training, and Know Your Customer/Customer Due Diligence Requirements.
The centerpiece of the Best Practices Guidance is the development of a robust risk assessment protocol that will tailor an effective compliance program to casino operations. It suggests casinos ask themselves the following questions:
- First, what are the entry and exit points at the casino for patron funds that may come from illicit sources?
- Second, what casino departments or employees are best positioned to detect the entry and exit of such funds?
- Third, what are characteristics of transactions that may involve illicit funds, or of patrons who are more likely to engage in suspicious activity?
- Fourth, what measures (including automation) do we have in place to mitigate these risks?
- How effective are those measures?
In answering these questions, casinos should assess risks across all parts of their businesses and consult guidance from regulators, independent auditors and law enforcement officials. Compliance professionals should look at the following as well when developing a risk assessment:
- State Regulatory Requirements
- Results of Independent Audit and IRS Exams
- Gaming Volume and Character
- Range of Financial Services
- Characteristics of Certain Games
- Country Risk
- Politically Exposed Persons
- Patron Behaviors and Characteristics
Establishment of a BSA/AML Compliance Officer
The Best Practices Guidance also calls for the establishment of a BSA/AML compliance officer who should understand the casino’s products and have “the appropriate authority and resources to implement the program and assist the casino in managing risk.” This includes ensuring that the BSA/AML compliance officer has “sufficient stature in the organization to be a member of, or otherwise be able to regularly brief, senior leadership.”
According to the Best Practices Guidance, ongoing training should be provided to employees who assist in transaction reviews or patron transactions. These employees should understand the products themselves and how they can be used to launder money so as to identify red flags. Training should be appropriate for the level of seniority and responsibilities of employees and management. For instance senior personnel should receive training tailored to the oversight and assessment of AML risks, while frontline supervisors and employees should be trained and tested on how to identified suspicious activity. At a minimum, training should extend to the following categories of employees:
- Those engaged in the operation of casino games (table games, poker, slots, keno and bingo, and sports betting), at least beginning with supervisors and above;
- Casino marketing employees whose job requires frequent direct contact with patrons, including domestic and international hosts, branch office employees, and if applicable special events employees;
- Cage employees.
- Surveillance employees.
- Property compliance and AML compliance employees.
- Audit employees, including internal audit and fraud department employees.
- Senior gaming management, board of directors, audit committee, or compliance committee, as applicable.
Know Your Customer/Customer Due Diligence (KYC/CDD)
The Best Practices Guidance also devotes considerable time to casino’s KYC/CDD practices in the face of FinCEN’s beneficial ownership rule. The rule, which we have blogged extensively about, does not apply to casinos. However, the Best Practices Guidance suggests that casinos determine, on a risk basis, the level of Customer Due Diligence it should conduct in situations involving payments from third party companies for the benefit of customers, including the gathering of beneficial ownership information.
It notes that other elements of a good KYC/CDD program involve:
- Patron identification and verification: Casinos should require government issued identification but should consider under what circumstances it may require additional information such as occupation, employer, business affiliations or bank account information.
- Verification: in the face of obvious indications of fraud, casinos should determine whether it can form a reasonable belief that it knows the customer’s true identity. This may include instances that suggest that information on the government issued ID are no longer accurate – including the patron’s permanent address. If the casino is able to identify by reasonable inquiry the more recent and accurate information for the patron, it may wish to update any SARs or CTRs filed for this patron. Discrepancies or inability to verify certain information may be grounds for filing an SAR.
- Currency Reporting: Patron identification is required to determine whether persons are acting as agents for another person or are performing transactions in conjunctions with other patrons. Such is required to determine whether transaction, when aggregated, trigger the filing of a CTR.
- Sanctions: Based on due diligence conducted, casinos may want to consult sanctions lists, specifically the Office of Foreign Assets Control’s (“OFAC”) Specially Designated Nationals.
- Ongoing and Enhanced Due Diligence for high volume patrons: Casinos should review persons against public records to determine whether they are politically exposed persons, subject to negative reports, or have a prior criminal history relevant to AML risk. Based on such information gathering, the casino may want to obtain more information regarding the patron’s source of funds, leveraging information sharing where possible. If based on due diligence the casino were to find that multiple SARs had been filed for a patron, negative news, or the receipt of law enforcement request for information concerning a patron, the Best Practices Guidance urges casinos to consider terminating or restricting the relationship with the patron.
In addition to these broad categories, the Best Practices Guidance contains suggestions for SAR Reviewing Procedures, Transaction Monitoring, Potential Suspicious Activity, Audit Activity, and Record-Keeping and Retention. The report concludes reminding casinos that perfection cannot be expected, but that given the subjective judgments required by the BSA, “no compliance effort can be perfect or immune from retrospective re-evaluation. Nevertheless, the Best Practices Guidance urges the industry to reconsider AML/BSA compliance efforts given the ever-changing patterns of illegal activities and periodic shifts in financial practices and regulations.