There’s no doubt that Covid-19 has caused a major shakeup of the gaming world, changing the way business will be conducted for years to come. During this crisis, operators must focus on safety while maintaining gaming operations as jobs, livelihoods and the health of loved ones and strangers are on the line.
In an unintended consequence of this refocusing, some gaming operations are overlooking the regulatory aspect of their operations. In gaming, as in any thriving or emerging industry or technology, regulations play catch-up to operations.
Regulators and compliance teams have an incredibly important mission that cannot be put on hold despite new and challenging circumstances, such as the current pandemic.
For example, due to Covid-19, we’re seeing the move to digital at a rapid pace, with an urgency that was unknown in the past. For a long time, it’s been widely recognized that cash is an outdated form of payment with the exception of very few businesses, including the casino industry. Cashless payment technologies for gaming have been available for years, but the urgency to implement them and transform player acceptance is evolving at lightning speed.
With this new technology, regulators and compliance teams need to understand the transaction process, which now will rely even more on other service organizations for proper internal controls. Regulators should understand any transaction or process that they oversee, from start to finish.
To verify specific best practices, they should always review a systems and organization controls report (SOC) from any third-party business solutions provider. These reports, compiled and verified by third-party auditors, provide independent assurance of best practices. Depending on the level of SOC report, the document will incorporate multiple control frameworks and industry standards.
As third-party providers increase and work shifts to a more remote environment, cybersecurity is at the forefront of everyone’s mind. In 2020, data breaches on a national level were numerous. Especially noteworthy was the Solar Winds hack in December. Some experts say it may be the largest-ever hacking campaign, with several federal agencies and Fortune 500 companies breached.
Casinos weren’t immune from cyberattack either. Several major breaches occurred in 2020, and some infiltrations caused casinos to be shut down. The revenue impact can be severe; IBM reports that the average cost of a data breach is $3.9 million.
In addition to SOC audits, casinos should consider implementing a managed detection and response (MDR) solution. Using machine learning and artificial intelligence, MDR looks for indicators of compromise, like someone attempting to log into a user account or gain access to a database.
Regulators should ensure that multi-factor authentication is built into their programs, provide consistent and updated training, and work with a virtual chief security officer when it doesn’t make sense to hire one internally.
As the past has showed us, no single cyber-solution is 100 percent foolproof. But ensuring the risk is mitigated is one strong pillar of a successful compliance program.
Title 31/AML Compliance Evolution
At the 12th annual Anti-Money Laundering Conference in Las Vegas in 2020, Kenneth Blanco, director of the Financial Crimes Enforcement Network (FinCEN), discussed how new technologies will impact financial crime detection—particularly in sports betting and mobile gaming.
This year, more casinos and states will move to adopt sports betting and mobile gaming. Compliance programs must ensure the proper integration of any new services or offerings. Fortunately, regulators have a world of experience to draw upon, gleaning intelligence from jurisdictions around the globe where sports betting has been legal for decades.
Ensuring that casinos use “all available information” is as relevant as ever as new technologies evolve. This regulation is published in the Code of Federal Register §1021.210(b)(2)(v): “Procedures for using all available information to determine: (A) When required by this chapter, the name, address, social security number, and other information, and verification of the same, of a person; (B) The occurrence of any transactions or patterns of transactions required to be reported.”
Obviously, this is a very broad regulation, but it’s been mentioned in every speech and enforcement action by FinCEN in the last several years.
Consider building these items into your sports betting or mobile gaming applications for detection: patterns of transactions, structuring, know-your-customer (KYC) and cyber-related incidents. Each one can be considered “all available information,” and each has been singled out by FinCEN.
Let’s Talk Cash
As the gaming floor transforms, casinos cannot take their eye off the ball related to cash transactions, which are still the heart of Title 31/AML compliance. Title 31/AML remains a vital component of any casino’s regulatory structure, and the tone starts at the top.
In the 13 enforcement actions against casinos and card clubs since
2000, eight cited the lack of a culture of compliance. In any uncertain environment, management may look at cost reduction in all areas, including compliance. But any reduction in compliance should be heavily evaluated before action is taken.
If you live in a state where the government has imposed lockdowns, tribal casinos may still be operating, since tribes are sovereign nations and can exercise their own judgment on closure and hours. With other entertainment options closed, tribal casinos have seen a completely new customer base enjoying their facilities. While this is positive for the tribal casino industry, compliance now has additional work to do to ensure the casinos maintain proper KYC obligations according to their existing AML programs.
Possible Changes In AML Regulations
Last fall, FinCEN issued an advanced notice of proposed rulemaking (ANPRM) on “Anti-Money Laundering Program Effectiveness.” The document requested public comment on potential regulatory amendments.
As if 2020 hasn’t thrown enough at us, operators and regulators should be prepared for another possible curveball in 2021. Hopefully, any amendments would help clarify confusion from past broad AML regulations.
Some of the highlights from the ANPRM would clarify how a program should assess and manage risk as related to risk assessment. The amendments also consider modernizing the regulatory rules to address evolving threats of illicit finance, while providing greater flexibility in the allocation of resources. This would be a welcome change, as a casino’s AML compliance program should be commensurate with the risk at the facility.
As former U.S. Deputy Attorney Paul McNully famously stated, “If you think compliance is expensive, try noncompliance.”
If you haven’t started planning around or taking action on these regulatory concerns, it’s time to get started.