TL;DR: FinCEN has relaxed some of its rules and now allows gaming institutions (casinos and card clubs) to meet their customer identification requirements by using either (1) examination of a document, such as an unexpired driver’s license or passport; (2) “non-documentary means” (such as knowledge-based authentication, database verification, customer interviews, or review of financial documents); or (3) a combination of both. Gaming institutions—especially those offering online gaming—should consider revising their patron identification systems, which should be risk-based and documented in the company’s anti-money laundering program. Casinos should also make sure to recalibrate other parts of their AML programs, such as policies regarding SAR monitoring, training, and testing. State laws, which are unaffected by this FinCEN decision, may also have specific requirements.
The who, what, when, where, and why
Who: Casinos and card clubs
What: Allowance for casinos and card clubs to use non-documentary means to verify a customer’s identity.
When: Effective October 19, 2021
Where: The Exceptive Relief is available here1
Why: FinCEN determined that the original in-person and document-verification rules reflected prior technological restraints, and that the industry had since evolved. The agency also heard from various stakeholders within the industry, and learned that new technologies, including third-party service providers, offered databases and other methods that can provide more reliable verification of an online customer’s identity than documentary methods.
Background and regulatory regime
The Financial Crimes Enforcement Network (FinCEN), a component of the U.S. Department of the Treasury, is the federal government’s principal AML regulator; the agency administers the Bank Secrecy Act and its implementing regulations, and oversees a broad range of financial institutions for AML compliance, including banks, securities brokers and dealers, mutual funds, and others. For some industries, such as money services businesses, precious metals/precious stones dealers, and casinos and card clubs, FinCEN has exclusive civil federal jurisdiction for AML compliance. FinCEN has taken several enforcement actions against the casino industry for AML deficiencies.
The rules covering casinos and card clubs (collectively referred to here as “casinos” for simplicity) require them to obtain certain identifying information for the customer prior to a deposit of funds, account opening, or extension of credit. Under the existing rules covering casinos, the verification must be made by “examination of a document” of a type described in the regulations.
By contrast, certain other financial institutions—such as banks, which are subject to “Customer Identification Program” (CIP) requirements—are allowed to use “non-documentary means” to establish a customer’s identity. For instance, many of these institutions may, on a risk basis, use various methods to ascertain a customer’s identity without resorting to an ID document. (Casinos are not subject to the CIP rule, although they are covered by know-your-customer (KYC) requirements.)
FinCEN possesses the authority to modify and loosen its rules by issuing administrative exemptions, titled “exceptive relief.” Over the past several years, FinCEN has expressed an interest in hearing from industry and other stakeholders about how its rules can be modernized, streamlined, and made more effective.
In its October 19 ruling, titled “Exceptive Relief for Casinos from Certain Customer Identity Verification Requirements” (numbered FIN-2021-R001, and available here), FinCEN noted its discussions with various stakeholders regarding the patron identification requirement, and specifically about the availability of third-party databases that “pull information from a multitude of publicly available resources” that “can provide more comprehensive verification of an online patron’s identity than the documentary methods currently required by FinCEN’s regulations.” The agency also noted that some states, such as New Jersey, allow mobile gaming in which “a patron may open and fund an account and place wagers over the Internet without entering a facility at any point,” although she may only place wagers within the jurisdiction.
Exercising its “exceptive relief” authority, FinCEN loosened the requirements of the identity verification rule to allow casinos to use such “non-documentary methods” to verify customer identity, much like those types of financial institutions covered by the CIP requirements. Thus, casinos now may comply with the rules by using those compliance measures, and may use non-documentary means to the extent consistent with a risk-based approach for CIP programs. Those non-documentary methods may include, for instance:
Communications with the patron herself;
Verification through comparison of information from the customer with other information from public databases, consumer reporting agencies, or other resources (this is sometimes referred to as “knowledge-based authentication,” testing the patron’s answers to known data points);
Reference-checks with other financial institutions.
Obtaining and confirming with other financial statements.
What this means and what to do
Assuming that a casino wishes to avail itself of this exceptive relief, it should consider the following to calibrate its AML compliance program:
Modify the identity verification policies. The policy should spell out protocols for when to use identity document inspection (i.e., traditional ID verification); when “non-documentary means” will be appropriate; and if/when to use a combination of the two approaches. For document verification, the AML policy should describe minimum acceptable documentation, including the types of documents to be reviewed and means of testing their validity. For non-documentary means, the policy should explain what verifications may be used and describe the controls to place on those verifications. Given that these controls and policies are risk-based, the casino should document those decisions. The policies should also contain escalation procedures, especially where a customer “fails” non-documentary verification, and may need to provide a document to validate her identity.
Consider other policies. Allowing customers to establish their identities through non-documentary methods may be more reliable than document review in many cases. At the same time, it opens new possibilities for fraud and other forms of suspicious activity, such as identity theft, account takeover, providing false identity information/responses, and the like. Casinos, like (most) other financial institutions, are required to file suspicious activity reports (SARs), and many of these new issues may give rise to new reportable activities.
Train employees. Unfollowed good policies are bad policies. Any new procedures or internal controls must be communicated and taught to employees.
Vet any third-party service providers. Not every “non-documentary means” will be sufficient or reliable and not every third-party service provider will be able to provide reliable verification of patrons. Financial institutions are accountable for the failures of their vendors and other service providers, so if a casino employs a third party to perform its non-documentary verification of identity, it should be cautious in its choice and make sure that the provider’s processes are auditable. In some jurisdictions, such service providers must have an appropriate registration or license from the gaming regulator.
Test. The AML rules require casinos to periodically perform an independent review of its AML compliance program. After a certain amount of time – likely no later than a year (and perhaps even sooner) – the casino should perform an independent review to ensure that the program is working well. The review should also include an assessment/testing of the casino’s third-party service provider(s).
Note non-AML issues. Identification verification is, of course, a critical component of AML compliance, and it also plays an important role in other compliance and legal obligations, including those surrounding underage gambling, responsible gaming, internal fraud issues, and sanctions compliance. Casinos should ensure that these new programs and service providers align with those compliance obligations.
Keep an eye out for state rules. Even if permitted under federal rules, some states have more stringent requirements, including (in some jurisdictions) document examination rules or even rules that the patron present a document for in-person inspection. FinCEN’s exceptive relief does not modify or displace state rules.
Should you have any questions about this or any other gaming matters, or if we can be of any service, please feel more than welcome to contact any of us or any other Hogan Lovells attorney.
Authored by Gregory Lisa, Annika Lichtenbaum, and Molly Newell.