Casinos: Don’t gamble with your AML program
Casinos and other gaming establishments from across the globe are increasingly facing the consequences of failing to comply with anti-money laundering (AML) regulations and to maintain effective compliance programs. In British Columbia, Canada, River Rock Casino’s business practices—including accepting C$13.5m in cash in only one month, and nearly half a million dollars in just one buy-in—led to an investigation that determined that some of the province’s casinos “unwittingly served as laundromats for the proceeds of crime,” representing “a collective system failure”.
In California, USA, Artichoke Joe’s Casino was fined US$8m for failing to implement and maintain an effective AML program, and failing to detect and report suspicious transactions in a timely manner. The acting director of FinCEN noted that the fine also resulted because the card club intentionally “turned a blind eye to loan sharking, suspicious transfers of high-value gaming chips, and flagrant criminal activity that occurred in plain sight.”
The financial activities of casinos have become similar to those of traditional financial institutions such as banks and so it’s no surprise that criminals are drawn to these establishments to launder money. Many casinos are available 24 hours a day and with the large variety, frequency and volume of transactions—the majority of which are cash-based—they are an increasingly attractive target for money launderers.
These inherent risks combined with the previously mentioned fines and penalties for compliance failures clearly highlight the increasing importance of having an effective program to combat money laundering and other financial crimes.
Threats to watch for
Under the Bank Secrecy Act (BSA), casinos are required to complete regulatory reports should a number of scenarios occur. Examples include the following:
- Alters transaction to avoid BSA recordkeeping requirement
- Alters transaction to avoid CTR requirement
- Patron cancels transaction to avoid BSA reporting and recordkeeping requirements
- Multiple transactions below BSA recordkeeping threshold
- Multiple transactions below CTR threshold
- Suspicious inquiry by patron regarding BSA reporting ore recordkeeping requirements
- Frequent deposits of cash, checks, bank checks, wire transfers into casino account
- Funds withdrawn from account shortly after being deposited
- Minimal gaming with large transactions
- Suspicious intra-casino funds transfers
- Suspicious use of counter checks or markers
- Frequent cash out transactions without corresponding buy in transactions
- Use of casino account as a savings account
- Contact between patrons and casino staff outside of the casino
- Inquiry about end of business day
- Exchange small bills for large bills or vice versa
- Account activity with little or no gambling activity
- Associations with multiple accounts under multiple names
- Suspicion concerning the source of funds
- Suspicion concerning the physical condition of funds
- Suspicious designation of beneficiaries, assignees or joint owners
- Funds transferred from casino account to a charity fund
- Suspicious exchange of currencies
- Suspicious receipt of government payments/benefits
- Suspicious use of noncash monetary instruments
- Suspicious use of third-parties (straw-man)
- Transaction out of pattern for patron
The above list represents just some of the scenarios that casinos need to monitor. As bad actors find new ways to launder money and new technology and payment methods emerge, this list grows exponentially and the scenarios become more complex.
Ongoing monitoring requirements
Because the BSA considers casinos or other gaming establishments with an annual gaming revenue of more than $1m to be financial institutions, these businesses must fulfill certain ongoing monitoring requirements. In Canada, for example, the national regulator stipulates that financial institutions “determine and implement a periodic review of all information regarding the clients with whom [they] have a business relationship.”
As part of their ongoing monitoring requirements, many regulators expect casinos to not only detect and report on any suspicious transactions but to keep client identification up-to-date, and to continuously re-assess client risk based on their activities and transactions.
Requirements such as these make real-time transaction monitoring and risk scoring models essential processes of the Know Your Customer (KYC) requirements. However, many casinos are not taking advantage of these risk-management tools.
Benefits of transaction monitoring and how to get started
Like their counterparts in the banking world, casinos serve thousands of patrons and conduct millions of transactions, which can make transaction monitoring and risk screening processes cumbersome. Leveraging technology to automate these processes, such as the detection and filing of currency transaction reports (CTRs) and suspicious activity reports (SARs), significantly reduces the burden on overworked compliance professionals.
Risk screening processes also allow casinos to determine whether patrons or third-parties have been placed on any sanctions, regulatory or law enforcement list, review their activity profile and any implied associations or relationships to high-risk entities, and more closely assess their risk level. Leveraging external data from a reputable and comprehensive source, such as Thomson Reuter’s World-Check Database, is especially beneficial to this process.
For casinos just getting started with transaction monitoring technology, they can begin with rules-based analytics before moving on to artificial intelligence and machine learning. Rules can automatically flag disbursements above $10,000 or multiple transactions just under reporting thresholds, for example.
To build on this framework, casinos can then add additional layers to reduce alerts and false-positives, such as the patron’s risk profile. If a patron is considered high-risk and suspected of being involved in structuring or layering of transactions, the compliance team should spend more time scrutinizing and possibly blocking those transactions rather than ones being initiated by low-risk patrons.
Screening for politically exposed persons
Although casinos are well-known for trying to protect their VIPs for fear of losing their business, there is a growing risk of fines and penalties that—depending on the severity of the compliance failure—could be as significant as losing their casino license. With so much at stake, it is essential for gaming establishments to take measures to prevent these consequences. For example conducting enhanced due diligence that includes screening patrons to identify politically exposed persons (PEPs).
According to the Financial Action Task Force (FATF), a PEP is “an individual who is or has been entrusted with a prominent public function.” Brett Barrett, Risk Specialist for Thomson Reuters’ Financial & Risk Division, acknowledges that adjusting risk levels for PEPs can be challenging. He points out that “Unlike someone on a sanctions list, being a PEP does not automatically indicate that someone is suspicious. Being a PEP means, simply, that holding a prominent position in public life—or being associated with an individual who does—puts you at a higher risk to be influenced (bribery or corruption, for example) or more likely to have access to certain resources (e.g., government funds).” Because of this, gaming establishments must be cautious when doing business with PEPs or anyone closely associated with them.
Risk scoring and transaction monitoring
When determining a patron’s risk, three aspects should be considered: the patron’s profile, their relationships and their activities. Transaction monitoring provides the opportunity to see patrons’ activities and gain a more complete picture of the risks. The profile score can be influenced by; country of residence, industry, occupation and type of employment.
Activities that influence risk scores may include; prior CTRs or SARs filings, suspicion of money laundering or any other offences.
Calculating risk scores by patron profile, activities and relationships can be automated using weighted risk factors. Technology can also be used to continuously re-assess a patron’s risk score, depending on their activities and any changes in their personal and business information.
The role of data quality
Transaction monitoring, sanctions screening, and searching for PEPs are essential tasks for casinos, and if not performed properly or diligently could open the business up to risk. This risk increases if an organization relies only on internal data or poor-quality data.
Barrett points out that “when it comes to monitoring transactions, high-quality data is essential. For transaction monitoring systems to be effective, as much information as possible about the patron, accounts, products, financial institutions and jurisdictions involved is required. The accuracy of alerts is directly related to the quality of data fed into the system, with poor quality data significantly increasing the number of false-positives a compliance team will have to investigate.”
Financial institutions should consult with third-party data sources, such as the Thomson Reuters World-Check Database, and gather and enrich their internal data as much as possible to be most effective. Additionally, technology should be used to identify and fill in gaps in data, and to cleanse it to improve data of a lower quality.
Success built on effective monitoring and screening
Gaming establishments today are quickly realizing that they must screen not just their patrons but also their transactions in real-time to detect and prevent financial crimes—and to avoid doing business with those who could put the casino at risk for consequences that could include the revocation of its casino license.
While technology doesn’t completely solve these challenges, the most effective compliance programs utilize ongoing monitoring fortified with regular transaction monitoring and screening, clean and high-quality data and PEPs screening that leverages both third-party data sources and internal watch lists to build successful and AML-compliant businesses.
About Andrew Simpson:
Andrew Simpson has close to two decades of experience in the information systems audit and security business; specifically data analytics, interrogation and forensics. He is a regular contributor to various auditing conferences and is acknowledged as an expert on continuous controls monitoring and revenue assurance.
Connect: Andrew Simpson