August 25, 2008

Tribal Casinos Are Being Audited by the IRS for Anti-Money Laundering Compliance

Holland & Knight Alert
Gregory A. Baldwin

The Bank Secrecy Act (BSA) requires that designated “financial institutions” implement and maintain anti-money laundering (AML) programs. Tribal casinos have been designated as BSA “financial institutions” since 1996, and the BSA regulations issued by the Treasury Department in 31 C.F.R. 103.64 prescribe the minimum standards for those programs.
The Internal Revenue Service (IRS) oversees Tribal casino BSA compliance through a periodic audit process. Because the BSA has been codified at Title 31 of the United States Code, such audits are often referred to as “Title 31 Audits.”
The IRS has stepped up its efforts at monitoring Tribal casino BSA compliance, and plans to continue and expand these audits on a three to four year rotation. Casinos that have been identified as “problem” or “uncooperative” can, however, expect more frequent visits.
This Alert provides an overview of what to expect during the course of an IRS BSA audit.

Overview of the Audit Process
An IRS Title 31 Audit (or “BSA/AML audit”) is unlike a standard IRS tax audit. Generally, a tax audit can be relatively adversarial in nature because it involves a search for undisclosed taxable revenue and frequently results in the imposition of additional taxes and penalties. The purpose of a Title 31 Audit is different. Unlike a tax audit, the aim of a BSA audit is not to collect money; it is to ensure BSA compliance. While a Title 31 Audit may result in disclosure of BSA violations (referred to by the IRS as “deficiencies”) that can be subject to financial penalties, imposing penalties is not usual and occurs only in the most egregious situations. The primary purpose is not to collect revenue, but to ensure that any AML program deficiencies are corrected. Thus, taking an adversarial or defensive attitude in a Title 31 Audit is almost always counter-productive and not in the casino’s best interest.
A Title 31 Audit will usually be conducted at the casino and the process will take several months. It is usually accomplished in three stages: (1) a review of the adequacy of the casino’s AML program; (2) a determination of whether the written AML program has been adequately implemented; and (3) an assessment of whether breakdowns in the program places the casino at risk for BSA violations, money laundering, or other financial crimes.

The Beginning of the Audit
A Title 31 Audit is conducted primarily by a field agent working under the direction and supervision of a case manager. The field agent is in charge of a team of IRS agents responsible for the actual conduct of the audit.
Typically, a Title 31 Audit is initiated by written communication from the IRS in an IRS Letter 1052. The letter will notify the casino of the BSA/AML audit, the period covered and the date of the initial IRS meeting with the casino.
The Letter 1052 will be accompanied by a formal Information Document Request, (IDR). The documents requested will be extensive and requested well in advance of the initial meeting so that the IRS audit team can come to the meeting fully prepared and ready to request not only additional documents, but also specific interviews. The IDR will not be the only documents the IRS will want during the audit. The initial request is typically exactly that – an initial request. Accordingly, once the process has begun, the casino should expect additional document requests throughout the audit process.
The IDR will include a request for the casino’s current written AML program and may also request all prior versions of that program. The purpose is to ensure that the casino has an AML program and that it contains procedures covering all of the BSA regulatory requirements. If it is incomplete, the IRS will identify those deficiencies and will report this to the casino.
The initial documents reviewed will also include the casino’s money laundering “Risk Assessment.” This is a key document that formally analyzes the money laundering risk faced by a particular casino.1 The procedures in the casino’s BSA/AML program will be assessed in light of the Risk Assessment. The IRS will specifically expect to see that the casino’s program procedures are geared toward the specific money laundering risks identified in the Risk Assessment. If the IRS determines that the casino’s Risk Assessment is adequate, the IRS audit team will use the casino’s Risk Assessment as its general guide for determining how to focus the audit. If, however, the casino does not have a Risk Assessment, or if the IRS team considers it to be inadequate, the IRS will develop its own money laundering Risk Assessment for the casino, and use that as its guide for the audit process.
The IDR will also request correspondence with law enforcement or regulatory agencies. The IRS audit team will want to know of any prior BSA/AML issues, problems or enforcement actions involving the casino and whether effective corrective action was taken.

Initial Appointment Meeting
The initial interview will typically be held at the casino and will be attended by all IRS personnel who will be involved in the audit. The IRS will expect, and will normally request, that the following casino personnel (or their equivalent) attend the meeting: the vice president finance; the casino controller; the casino manager; the casino cage manager; the director of information systems; the Title 31 compliance officer; and any others directly involved in Title 31 compliance.
At the initial meeting, the IRS will normally be prepared to answer any reasonable, relevant questions. A principal contact person from the casino will usually be identified for the IRS audit team, and, since the examination will typically be conducted at the casino, the necessary physical arrangements for conducting it on site, as well as access to necessary equipment, will be made.
The IRS will advise the casino that the IRS audit team will only be reviewing information relative to BSA compliance. However, the agents will also probably give the standard warning that if, in the course of the examination, information relative to possible violations of other laws or regulations is discovered, a referral will be made.
The IRS will ask a number of questions at this meeting about any related institutions, branches, entities, or other businesses operating within the casino, especially including the ownership and relationship of any money services businesses and ATMs. The IRS will also want to know the identity of key BSA compliance employees, how records are kept (whether manually or by computer), how those records can be accessed, what is the gaming day used by the casino for aggregating reportable currency transactions, and whether the casino cage and gaming floor are both using the same gaming day cut-off time (including the computerized player-rating system).
Overall, the initial meeting is a fact-finding tour by the IRS. The casino should expect the IRS to ask open-ended questions as opposed to “yes” or “no” questions. The casino should be open and candid in response. Evasive responses will only create the impression that the casino has something to hide. Inaccurate responses will eventually be uncovered and damage the casino’s credibility. In both instances, the result for the casino can be a longer, much more difficult audit process.

IRS Interviews of Employees
The IRS BSA/AML audit will include a substantial number of interviews of management and staff level personnel, including floor and cage managers, and particularly those employees responsible for preparing CTR-Cs and maintaining the records required by the BSA. Expect the IRS interviewers to focus on the casino’s BSA policies and procedures, internal controls and cash controls, BSA knowledge, BSA and AML training, BSA reporting and recordkeeping responsibilities and procedures, management oversight, the history of filing SAR-Cs and CTR-Cs, and identification, review and reporting of suspicious activity.
The IRS will interview the Title 31 compliance officer and the BSA/AML compliance staff to assess not only the overall compliance program, but also the BSA competence of the compliance officer and staff. The IRS audit team will also be considering the sufficiency of the physical and financial resources provided to the compliance staff by management.

The IRS can be expected to interview senior management. Senior management includes the casino’s governing body as well as the senior operations management, such as the CEO, CFO and COO. The general purpose of these interviews will be to determine knowledge of BSA requirements, the casino’s BSA program, management commitment to the program, and the level of support and resources provided to the compliance officer.2
The IRS can also be expected to interview other employees whom they consider to be key compliance personnel, especially those who are identifying and reporting reportable cash transactions and suspicious activity. This enables the IRS to determine the level and effectiveness of BSA training. The personnel interviewed will include employees handling cash transactions, plus surveillance and security personnel as well as other employees that generally come into contact with customers. The purpose is to determine whether the cash handlers know the BSA cash reporting and record keeping requirements. In addition, however, the purpose is also to determine whether those employees who have regular customer contact are trained on how to identify and report suspicious activity.
The IRS will prepare a Memorandum of Interview at the end of each interview to summarize the significant facts obtained during the meeting. Copies of interviews are usually not made available to the casino or the person interviewed.

The Scope of the Audit
The IRS will review and test the casino’s files, reports and other documentation to ensure compliance with BSA recordkeeping regulations. In particular, the IRS audit team will closely examine and test the casino’s internal controls and records for identifying and reporting reportable cash transactions and suspicious activity.
The scope and depth of the audit usually includes the most current six-month period because that will demonstrate the casino’s current compliance level (although if a casino has not been audited previously by the IRS the period may be longer). However, the time period may be lengthened or shortened during the audit, depending on the number and seriousness of deficiencies found during the process.

Suspicious Activity Reporting
The IRS audit team will review casino records and internal controls to ensure that all suspicious activity was identified, reviewed and reported on SAR-Cs, and that the casino did, in fact, use all available records to identify suspicious activity. Together with CRT-C reporting, it is the most important part of the audit and will receive the most attention from the IRS. In this part of the audit process, the IRS will be trying to find suspicious activity that the casino failed to identify and report. It will also review the SAR-Cs to ensure that the forms were correctly filled out, and that the supporting documentation underlying the reported suspicious activity is available and complete. The examination process will also include not only the identification and internal reporting of suspected suspicious activity, but also the subsequent review and decision-making process concerning each internal report. It will expect each step in this process to have been documented, and all reports – even those that did not result in a SAR-C filing – to be maintained in the casino’s files. The IRS will expect someone at management level (such as the compliance officer) to oversee the review, handling and reporting of suspicious incidents.

Cash Transactions Reporting
The IRS audit team will look for cash transactions that were not reported. It will also examine the casino’s filed CRT-Cs in order to determine that all reportable transactions were reported accurately and completely. A random selection of CTR-Cs will usually be reviewed, although IRS audit teams establish their own criteria for selecting which CTR-Cs to review. For audits covering a short time period, it is likely that all CTR-Cs will be examined. For longer periods, representative samples will be reviewed instead. The audit team will also be looking for reportable multiple transactions that were not reported.

Related Controls and Procedures
There are several controls and procedures closely related to CTR-C filing and to identifying suspicious activity that the IRS will concentrate on.
Checking the required BSA records is an obvious part of this aspect of the audit. Less expected by casinos (because not expressly required by the BSA regulations) is that the IRS will expect that reviews of internally reported suspicious activity, as well as the decision-making process on filing a SAR-C, be documented and internally filed. The IRS expects management-level involvement with cash transaction and suspicious activity reporting, and the IRS audit team will want to determine the extent of that involvement in these processes. The audit team will examine the internal processing of suspicious activity reported by employees and how those reports are handled. Specifically, the IRS audit team will want to know how and why decisions on whether to report or not to report suspected suspicious activity were made. In addition, the IRS will focus on whether the casino has actually used all its sources of information to identify suspicious activity, and not just relied on first-hand employee observation of customers. If the casino uses automated recordkeeping systems, the IRS will expect that it also use automated systems to help identify reportable cash transactions and suspicious activity.
Related to CRT-C and SAR-C reporting are those controls and procedures relating to customer identification. The IRS audit team will want to examine the casino’s procedures for accurately identifying its customers for recordkeeping and reporting purposes.
The Internal Revenue Manual, Section, reviews these and other topics in greater detail and provides a good idea of what specific areas a casino can expect will be covered in a Title 31 Audit. The manual can be accessed online at

BSA/AML Employee Training
Another area of focus will be on employee BSA training. The IRS audit team will request the casino’s training records to determine: (1) that employee training has been conducted; (2) that it is conducted on a periodic basis; (3) that records of employee attendance are kept so that the casino knows who has been trained and when; (4) that new employees are trained before undertaking any duties; and (5) that training materials are accurate and the instructors are competent. While the specific methods of BSA training may vary, the IRS audit team will expect the training to be subject to centralized control and supervision, usually by the compliance officer, and that all aspects of the employee training (who attended the training, when it was conducted, the subject matter of the training, etc.) to be documented and maintained in the casino’s files.

The Post-Audit Process
The IRS audit team will conduct an audit-closing meeting. If no BSA deficiencies have been found, the IRS will present a closing letter, known as a Letter 4029. More likely, though, deficiencies will have been identified, and a Letter 1112 will be issued. Receiving a Letter 1112 does not mean that a financial penalty will be imposed on the casino. A Letter 1112 is issued for violations or “deficiencies” which are considered technical, minor, infrequent, isolated, or not particularly substantive in nature. At this point in the IRS process of auditing Tribal casinos, most BSA deficiencies are considered in this light. In the future, however, deficiencies that remain uncorrected can be expected to be treated more harshly. The key is not to argue about whether a deficiency reported by the audit team is a deficiency, but rather to take the reported deficiencies seriously and take immediate steps to correct them.3 The Letter 1112 will contain corrective recommendations as well as findings. Following the IRS recommendations to the extent reasonably possible is only common sense.
The casino will have 30 days to respond in writing to the Letter 1112. In this response the casino can dispute a finding and/or explain the steps it has already taken and will be taking to address the IRS findings. The response also gives the casino the opportunity to file corrected SAR-Cs and CRT-Cs (and to explain why a SAR-C or CTR-C was not filed in a particular situation). After it receives the casino’s response, the IRS will submit the casino’s response together with its Letter 1112 findings to the Financial Crimes Enforcement Network (FinCEN), which will then decide whether or not any enforcement action is appropriate. Enforcement action will normally only be taken in the most egregious cases, usually when the IRS or FinCEN consider the program deficiencies to have been intentional, or the result of a conscious disregard of the regulations.
The IRS will expect the casino to make changes based on its recommendations and that these changes will be reflected in the casino’s written Title 31 compliance program. After the BSA/AML audit has been completed, the IRS may ask to see an updated written compliance plan that incorporates changes made based on the audit. In every case, however, each change should be carefully documented by the casino.

1 An AML Risk Assessment is not an “off the shelf” item. One size does not fit all. An effective Risk Assessment must be specifically tailored to the particular casino whose risk it purports to assess. 

2 The level of detailed knowledge expected from senior management will be lower than that expected of the compliance officer and compliance staff, but at least a general understanding of the BSA/AML laws and regulations and a familiarity with the casino’s BSA procedures will be expected. 

3 Of course, if the reported deficiency is based on erroneous premises, then the casino should respond accordingly. Quite often, however, the IRS audit team will report as a deficiency something that is actually not required by the BSA, e.g., the lack of a Risk Assessment. No regulation requires a written Risk Assessment, but the lack of one will invariably be considered as a deficiency. Arguing this point with the IRS is an exercise in futility. 

Related Insights