Federal and State Regulators Increase Scrutiny of Casino AML Practices
See all Insights

Federal and State Regulators Increase Scrutiny of Casino AML Practices

Brownstein Client Alert, Sept. 24, 2024

Recent money laundering-related enforcement actions targeting casinos by both the U.S. Department of Justice (“DOJ”) and state regulators suggest increasing scrutiny of anti-money laundering (“AML”) compliance efforts within the gaming industry. Indeed, at an annual casino AML conference held in Las Vegas recently, presentations by several senior government officials all included the same message: strict compliance with the requirements of the federal Bank Secrecy Act (“BSA”) is expected, failures to comply may lead to enforcement actions, and the penalties for noncompliance can be severe. But what exactly does the BSA require and how can gaming companies ensure that their BSA compliance programs can withstand scrutiny?

First, it is important to understand how the BSA applies to U.S. casinos and what it requires. Under federal law, U.S. casinos with annual gross gaming revenue of more than $1 million are considered to be non-bank financial institutions and are therefore subject to certain AML requirements of the BSA and related regulations (See, generally, 31 USC 5312(a) and 31 CFR 1021.210). Basically, these requirements include the implementation of an AML program with the following component parts: (1) a written AML compliance program; (2) a system of internal controls; (3) internal and/or external independent testing for compliance; (4) training of casino personnel, including training in the identification of unusual or suspicious transactions; (5) designation of an individual or individuals to assure day-to-day compliance; (6) procedures for using all available information to identify customers and to file required reports; and (7) for casinos with automated data processing systems, the use of automated programs to aid in assuring compliance. Each of these requirements is discussed in more detail below.

Written AML Program. This should be a comprehensive document that is risk-based and clearly outlines the program basics, including the roles and responsibilities for AML compliance within the casino operation, requirements for AML training, the existence and functioning of the casino’s AML committee, the frequency of independent testing, and some of the basic policies covering a range of issues from front money deposits to third-party wires to law enforcement requests to customer due diligence. This program document need not, and should not, include all of the specific internal controls that apply to the program’s day-to-day operations, but should be detailed enough to reflect a comprehensive program that complies with the BSA’s requirements and best practices.

Internal Controls. Beyond basics that are clearly articulated in the casino’s AML program document, specific, written internal controls should exist and serve to guide the casino’s employees as they perform their daily functions. This is where the details concerning know your customer (“KYC”) practices, filing Currency Transactions Reports (“CTRs”), initiating Suspicious Activity Reports (“SARs”) and other required tasks should be set forth in detail for use by the various casino departments including the compliance team.

Independent Review. On a regular basis, key components of the casino’s BSA compliance program should be tested against the internal controls to identify whether policies and procedures are being followed. While the casino’s internal audit function, assuming sufficient independence, can generally perform this function, an outside expert should be periodically engaged to conduct a comprehensive review of the program.

Training. Every casino employee whose job puts them in a position to, in any way, be relevant to the operation’s AML efforts must receive regular training. This training can be virtual or in-person but should be tailored to each person’s role and responsibilities, and should be supplemented following certain events or developments that suggest the need for additional training. Any training program should include the c-suite and, in larger organizations, the company’s board of directors. In addition, certain subsets of employees, such as the casino customer representatives or “hosts,” may be identified for special training to focus on issues and scenarios that pose the most significant risks to the casino.

BSA Officer. Every casino subject to the BSA must designate a “BSA Officer” who is responsible for all BSA-related matters within the operation. The BSA Officer should have the right experience and expertise and should have sufficient status and authority within the organization to be able to make and enforce the many difficult decisions that come with the job. The BSA Officer has responsibility for managing the team that does the daily BSA compliance work including customer vetting, the filing of SARs and CTRs, and other routine tasks. Beyond the day-to-day, the BSA Officer is also responsible for training, coordination with other departments within the casino, liaison with regulators and law enforcement, and ensuring that senior leadership knows and understands the details of the casino’s AML compliance program.

Using All Available Information. For a subset of the internal controls component discussed above, it is important that the internal controls that form the operational reality of the casino’s AML compliance efforts be designed in such a way as to be able to access and incorporate all available information. This means that every piece of data that is known or should be known to the compliance team is considered when engaging in KYC, when determining whether a CTR must be filed or when deciding if a SAR should be filed. A casino’s AML program cannot be effective if information is siloed or not communicated internally, thus allowing important decisions to be made without a complete picture of all of the information available.

Automated Data and Automated Programs. The regulation’s last requirement simply means what it says. If a casino utilizes automated data, as virtually every modern casino operation does, then the casino must also utilize technology in the form of automated programs to be able to access and understand that automated data for BSA compliance purposes. More than anything else, this requirement essentially requires that adequate technology be incorporated into a casino’s AML efforts. 

Beyond these requirements that are actually set forth in the BSA and related regulations, there are certain best practices that enforcement actions over time have revealed to be more than “nice to have” components of any effective AML program. Thus, while not necessarily spelled out in the letter of the applicable law or regulations, the absence of the following compliance fundamentals will be noticeable to regulators if and when a casino’s AML program comes under scrutiny.

The Compliance Function Should Be Independent. The precise definition of “independent” in this context will depend on the size of the casino and where it may fit into a larger corporate family structure, but regardless of these details, it is critical that key AML decisions such as whether to file a SAR, be made independently and without regard to revenue concerns. It is also important that the casino’s BSA Officer have a direct line to the company’s senior leadership, including the c-suite, and board of directors or audit committee of the board, if applicable, on issues of critical importance. 

Risk Assessments Should Be Regular and Detailed. In order for a casino’s AML program to be effective, it must be risk-based, and a casino must regularly engage in a comprehensive assessment of all money laundering risks it faces. Each assessment must identify these risks, evaluate them, rank them, and prescribe controls to eliminate or mitigate them. Ideally, an updated risk assessment should be done regularly. An initial risk assessment, or an update to one that is more than a few years old, can be a complex undertaking and the use of an outside expert should be considered. Once a good template is developed, regular updates are relatively simple and can be done in-house. Recent enforcement actions have suggested that the risk assessment is one of the most critical aspects of an effective BSA compliance program. Indeed, while not currently required, the Financial Crimes Enforcement Network (“FinCEN”) has proposed a new rule that would make such regular risk assessments a regulatory requirement (See Anti-Money Laundering and Countering the Financing of Terrorism Programs: 89 Fed.Reg. 55428 (July 3, 2024).

Senior Management Should Understand AML Compliance and Take Their Oversight Role Seriously. Any casino large enough to be subject to the BSA’s requirements should establish an internal oversight structure that can assure senior leadership that the casino’s BSA compliance program is appropriately designed, adequately resourced and is effectively functioning. This starts with ensuring that the BSA Officer is qualified and performing at a high level. Effective oversight of the BSA Officer can be performed by a committee of the company’s board of directors, such as an audit committee, or by an independent committee made up, in whole or in part, of persons who are not company board members or executives. However it is structured, the key is that the casino’s AML efforts are regularly reviewed to include a review of the independent audit findings or other independent reviews of the BSA compliance performance.

Customer Barring Decisions Should Be Risk-Based and Documented. While the BSA itself does not require barring of customers, the law does prohibit a casino from knowingly receiving the proceeds of illicit activities. To avoid the risk of violating that criminal prohibition, a casino should take a conservative approach and be quick to act once the facts appear to indicate that a customer’s source of funds is from illicit activities. Even the best plan may not work if employees fail to report to the BSA Officer or compliance team any information indicating that a customer’s funds may be the proceeds of criminal activity. Equally important is the need to carefully document the reasons why a customer who comes under scrutiny is ultimately not barred.

In summary, the potential repercussions of not maintaining an effective AML program to the point that the casino is violating the BSA can be major and may include civil fines, criminal prosecution and significant collateral consequences affecting, most importantly, a casino’s ability to keep its license to operate. At least one recent enforcement action should serve as a reminder that there can also be liability for individuals who are responsible for ensuring that the enterprise is following the law. Recent enforcement actions, both federal and state, also serve as a reminder that not only is BSA compliance a current government priority, but that the cost of noncompliance is growing. Every casino subject to the BSA would be well advised to get out in front of potential noncompliance issues by reviewing its program in light of the several key program requirements and best practices discussed a above. While it’s true that spending more money on compliance never results in more revenue in the conventional sense of the word, not spending enough is almost sure to lead to significant consequences, financial, reputational, and worse. All casino operators should now be on notice that the government, from DOJ to state regulators, are watching closely.


This document is intended to provide you with general information regarding regulatory trends in the gaming industry. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.

Recent Insights