Title 31: Risk Assessments - Part II
TRIBAL NATIONS QUARTERLY |
As an extension of last quarter's article, Title 31: Establishing an anti-money laundering compliance program, the second part of this series will explore casino management's responsibility to evaluate the money-laundering and terrorist-financing risks for their property.
There are inherent risks for money laundering at casinos, as the volume of transactions make it difficult to monitor patron activities. Decentralized transactions such as kiosks, multiple cashiering areas, separate pits, and often thousands of slot machines, all represent a high-risk potential. Casinos are faced with the challenge to understand the risks unique to the property and document the risks in a formal risk assessment.
Interestingly, the regulation implies that a risk assessment must be performed; but does not state the requirement specifically. Title 31 states that casinos must perform internal and external testing based on risk. In order to develop an audit plan based upon risk, the conclusion is that a risk assessment must be performed. The scope and frequency of the internal or external audits should be commensurate with the casino's risks of money laundering and terrorist financing.
Who should be involved?
When developing a risk assessment, the first challenge for the casino is who should be involved in developing the risk assessment. Again, while there is not specific guidance, the casino's management is ultimately responsible for Title 31 compliance, and typically it is the finance function of the casino that drives the process. However, the floor operations typically have the greatest insights into actual risks posed to the property, and therefore should be actively involved in communicating the risks and developing the risk ratings. Also, in Indian gaming, we frequently see the tribal gaming commission involved with the process as well. Gathering a team from a variety of departments such as Cage, Slots, Surveillance, Security and Finance, along with tribal regulators, and internal auditors, can bring the greatest insights to the risk assessment process.
What should be evaluated?
The casino's risk assessment should incorporate the following:
- Products and services offered (i.e. types of gaming, credit offered, check cashing, etc.)
- General business factors (such as location, size and layout of property, etc.)
- Customer factors (i.e. frequency, level of play, familiarity by employees, number of foreign players, etc.)
- Employee factors (i.e. experience level, number, training, etc.)
In June 2010, Financial Crimes Network (FinCEN) provided guidance on risk-based compliance factors in their publication FIN-2010-G002. This guidance includes a list of factors for consideration by casinos when evaluating risk. However, the casino is responsible for incorporating these factors into a manageable risk assessment format. We recommend that the casino consider both the inherent risk factors as well as the controls in place to manage the risk to determine the residual risk rating.
When evaluating the money-laundering and terrorist-financing risks to the operation, don't forget to incorporate past internal and external audit reports as part of the evaluation, as well as the documented procedures for Title 31. If you haven't cross referenced the Title 31 Compliance program to the regulations, the risk assessment process would be a good time to do so.
Risk assessments should be updated annually, or whenever there are significant changes to the operations. Significant changes may include things such as new slot monitoring systems, new games introduced to the floor, or new operating procedures. Include the frequency of the risk assessment in the Title 31 Compliance program, and document who in the operation (or tribal gaming commission) will be ultimately responsible for updating the risk assessment. Also, risk assessment reports should be maintained as part of the Title 31 record-retention requirements.
Finally, risk assessments can be much more than a regulatory requirement. If thoughtfully completed to include inherent risks, compensating controls, and residual risk, your risk assessment can serve as an internal road map to effectively understanding and managing your Title 31 compliance, as well as serve as a clear, demonstrable tool to outside regulators that you not only understand your risks but have developed controls to manage the money laundering and terrorist financing risks inherent in gaming.