The gaming business might be predicated on convincing customers to bet their fortunes on games of chance, but make no mistake: regulations for the casino gaming industry are as exacting as they come. That poses daunting challenges for compliance officers in the business trying to build a program fit for purpose.
At a high level, casino operators are subject to the same anti-money laundering (AML) rules that banks and other financial firms are under the Bank Secrecy Act. The four fundamental principles of AML compliance are also well-known:
- Written policies, procedures, and controls;
- A designated AML compliance officer;
- Ongoing AML employee training;
- Independent testing of the AML program.
Start applying those principles to the specific challenges of the gaming industry, however, and those daunting challenges mentioned above start to emerge.
Risk Assessments Are More Complicated
All risk assessments should begin at the specific place where your employees and customers do business — but in gaming, one firm might own multiple casinos that are radically different. Each location might have different games, a different clientele (say, high rollers overseas versus local visitors betting small dollars), and even different physical layouts that constrain operating procedures.
That’s not like most other consumer-facing businesses, that try to roll out identical locations, products, and procedures at scale. So the casino gaming industry needs to take a more thoughtful approach to risk assessment from the start and tailor its policies and procedures to fit the location.
Know Your Customer Procedures Need To Be Stronger
Yes, casinos need to report suspicious customer transactions like any other financial firm. On a practical level that can be difficult, because many high rollers (especially wealthy foreign nationals from high-risk countries) prefer their privacy.
The company will need to develop policies about customer due diligence anyway, train employees on how to implement them, and maintain a strong control environment to convey to those employees that, yes, KYC rules apply to all, no matter how high the high roller is.
Those KYC rules will also need to intersect with the firm’s cash management and regulatory reporting systems. For example, a customer wiring money from overseas account needs different treatment than one who drops $100,000 in currency at the cashier’s desk. A customer with one SAR in his or her past can be treated one way; a customer with five SARs in the last 12 months is much more high-risk. Casinos need to know those details and use past SAR activity to help refine future due diligence on returning customers.
Training is More Complex
Casinos have high employee turnover like many retail businesses. That means compliance officers need to monitor how employees move throughout the business (dealers promoted to pit bosses, for example) and ensure their training reflects the roles and responsibilities they currently have. Compliance officers also need to monitor third parties working with the business (caterers, security, janitorial) and assess any training they might need as well.
One factor working in the compliance officer’s favor: casinos know they’re at high risk for fraud. While other businesses might think, “that would never happen here,” casino operators assume everyone wants to chisel them. It’s the only sure bet in the whole industry.
Reporting Capabilities Must Be Sharp
Even for internal purposes, casinos must track chips, cash, and customer behavior in exacting detail. The external reporting requirements are even more onerous: SARs to the Treasury Department, regulatory filings to state gaming commissions, special reports to law enforcement, and more.
Compliance officers need to ensure that those reporting procedures and systems can pull together the correct data from all locations. That can bring challenges of data collection and harmonization if different locations use different applications or report data in different formats. It also requires strong policy management, so local operations don’t deviate from standard procedure without alerting the compliance function first.
Oh — and never hit the craps table “just one time, I swear!” on your way out the door. You’ll quickly have no cash left to manage.