BSA Compliance

Risk Assessment on Know Your Customer policy

    One of the most critical management objectives for the Tribal Gaming Management is compliance with laws and regulations. The Bank Secrecy Act for the Indian Gaming hits the top of that list. The most recent $47 million settlement with a casino in Las Vegas has spread another wave of concern with the expectation gap between regulators and Casino management. As the Casino industry, as a non-bank filer, evolves its operation to be more and more similar to the banking industry, the AML requirement becomes more complex, making it difficult to meet the regulatory expectation. One of the most important compliance risks of the Casino today is avoiding criminal and/or civil penalty exposures for the casino and its employees. The adoption of Know Your Customer policy (KYC) policy would help meet the current needs of regulatory expectations. We will examine the five ingredients of implementing a sound and practical approaches to the KYC policy:

1. Understand regulatory environment: When it comes to compliance with the Title 31 regulations, the actual laws and regulations are not the only rules that you have to comply with. The actual BSA, FinCen Guidelines, FinCen Q&A and, FinCen director’s messages seem to be a useful source for understanding the regulatory agency’s expectations. This can be found on FinCen Website.

2. Risk assessment & monitoring: Risk assessment was one of the areas which the law did not explicitly require. However, in order to perform risk-based independent testing required by section 31 C.F.R. §1021.210(b), risk assessment seems not only mandatory but also prudent business practice. One of the high risk areas prevalent to the gaming industry is “being able to use all available information for compliance.” As the industry utilizes many technology solutions to accumulate data, the analysis of such data, including predictable and personalize data (Business Intelligence), would be an efficient way of addressing these risks.

3. Develop AML Program: Based on identified high risks, the Casino must develop its own Internal Control Policies and Procedures to mitigate such risks to a tolerable level of risk on an entity-wide level. At a minimum, the program should address the following elements at a minimum (section 31 C.F.R. §1021.210(b):

(1) Each casino shall develop and implement a written program reasonably designed to assure and monitor compliance with the requirements set forth in 31 U.S.C. Chapter 53, subchapter II and the regulations contained in this part.
(2) At a minimum, each compliance program shall provide for:
(i) A system of internal controls to assure ongoing compliance;
(ii) Internal and/or external independent testing for compliance. The scope and frequency of the testing shall be commensurate with the money laundering and terrorist financing risks posed by the products and services provided by the casino;
(iii) Training of casino personnel, including training in the identification of unusual or suspicious transactions, to the extent that the reporting of such transactions is required by this part, by other applicable law or regulation, or by the casino's own administrative and compliance policies;
(iv) An individual or individuals to assure day-to-day compliance;
(v) Procedures for using all available information to determine:
(A) When required by this part, the name, address, social security number, and other information, and verification of the same, of a person;
(B) The occurrence of any transactions or patterns of transactions required to be reported pursuant to Sec. 1021.320;
(C) Whether any record as described in subpart C of this part must be made and retained; and
(vi) For casinos that have automated data processing systems, the use of automated programs to aid in assuring compliance.

This program is ever-evolving as the risk associated compliance matters change in an organization.

4. Test compliance - independent testing: Independent testing should be performed by a competent and independent auditor to verify its program designed to protect against the unique money laundering and terrorist financing risks posed by the individual casino as described above. This testing should be based on risk assessments of the entity. If the casino determines that the KYC policy is one of the areas of high risk, the casino auditors should consider to have independent testing performed in such an area.

5. Communication: Effectiveness of an AML compliance program is hinged upon good communication and training in an organization. An Effective training program would also be based upon risks facing each department and the entity. Therefore, it is recommendable to customize the training program for each department and the level of duties on compliance with respect to the frequency and depth of training.

A strong BSA compliance program is key to protecting the biggest asset of your casino; its reputation. The first step to an effective and efficient BSA compliance program would be the entity-wide risk assessment and the continuous monitoring of such risks.

EJ Egghart, Egghart Consulting,

Newport Beach, California