September 2, 2008

Typical “Deficiencies” in Tribal Casino Anti-Money Laundering Compliance Audits

Holland & Knight Alert
Gregory A. Baldwin

The Bank Secrecy Act (BSA) (31 U.S.C. § 5311 et seq.) and the BSA regulations (32 C.F.R. 103.11 et seq.) require every Tribal casino to implement a written anti-money laundering (AML) program. The Internal Revenue Service (IRS) oversees Bank Secrecy Act compliance by Tribal casinos through a periodic audit process. Because the BSA has been codified in Title 31 of the United States Code, such audits are often referred to as “Title 31 Audits.”

In 2007 the IRS increased its efforts to monitor Tribal casino BSA compliance and plans to conduct Title 31 audits on a three to four year rotation. Casinos that have been identified as a “problem” or as “uncooperative” can, however, expect more frequent visits.
 
The Indian Tribal Governments Group in the IRS identified in its July 2007 ITG News publication several problems that IRS BSA auditors repeatedly found during the course of 13 audits of Tribal casinos during the first half of 2007. These problems included:

  • written BSA/AML compliance programs did not exist or were superficial
  • insufficiently trained or inexperienced BSA compliance officers
  • failure to periodically train casino staff on BSA compliance
  • failure to file SAR-Cs
  • lack of adequate independent (non-IRS) testing and auditing to ensure that BSA procedures were being followed

Technically, these are violations of the BSA, but as a practical matter they are currently considered “deficiencies” in IRS BSA audit terminology.
 
The IRS reported findings are so general that it is difficult for casino management (including compliance officers) to really understand them in concrete terms. This Alert explains Title 31 Audits of Tribal casinos and these common “deficiencies” in real terms, and also offers practical recommendations for correcting them before the IRS arrives.
 
Many of the common deficiencies can be easily and inexpensively addressed before an IRS BSA audit, and it is in each casino’s best interest to do so. The scope and depth of each IRS BSA audit can depend on the casino’s compliance history and the IRS audit team’s initial findings. An IRS BSA examination will normally cover the most recent six month period, since that will accurately demonstrate the casino’s current compliance level. If the casino has been previously examined by the IRS and only minor deficiencies were noted, or if the BSA audit for the first three months of the standard six month period shows no deficiencies, then the scope of the audit may be substantially limited. So looking at and correcting the deficiencies commonly found in other casinos before the IRS arrives, can save time and money.

Common Deficiencies

Lack of Written Money Laundering Risk Assessment
 
The most common deficiency is the lack of a formal, written Money Laundering Risk Assessment. A written Risk Assessment is not explicitly required by law or regulation, which probably accounts for this very common deficiency, but since AML programs must be “risk based,” regulators believe that a risk assessment must be prepared before a BSA compliance program can be effectively implemented. As a practical matter, regardless of the absence of a legal requirement, every casino is expected to have a written Risk Assessment upon which its BSA program is based.
 
If a casino does not have a written Risk Assessment when the IRS BSA audit begins, or if a casino has one but it is deemed by the IRS audit team to be inadequate, then two things will occur:

  • First, the IRS audit team will prepare its own Risk Assessment for the casino, and the casino will have no input into the process. Although the IRS assessment may be inaccurate, it will form the basis against which the casino’s entire BSA AML program, internal controls and procedures will be measured, and deficiencies identified.
  • Second, the IRS will “recommend” that a written Risk Assessment be prepared. This is a mandate that can be ignored only at the casino’s peril.1

Every casino should already have a written Risk Assessment, and no casino should wait until its Risk Assessment has been prepared by the IRS, or until the IRS “recommends” that it be done.

Suspicious Activity Identification, Review and Reporting
 
Establishing procedures for identifying suspicious activity that rely primarily or solely on employee first-hand observation of customer activity is a deficiency, even when the observation is reviewed by the employee’s immediate supervisor. Although reliance on employee observation is a valid means for identifying suspicious activity, it cannot be the only one. The BSA regulations require that casinos have written procedures for use of “all available information” (31 C.F.R. 103.64 (a)(2)(v)).
 
1) Use of All Available Data: After lack of a Risk Assessment, the failure to review all available information in detecting suspicious activity is the most common deficiency noted. A lot of suspicious activity can only be detected through regular review of casino records and reports that most employees do not have access to.
 
Every casino is expected to have procedures that employ other means in addition to employee direct observation. These other means include all sources of information such as: the MTLs from all departments, cash-in and cash-our reports, slot ticket data, SAR-C filing histories, player rating information, barred customer logs and surveillance tapes. The procedures should say who will review these materials and when they will be reviewed (regularly, which means either daily or, at the very least, weekly).
 
Moreover, casinos that have automated data processing systems are required to use automated programs to help identify suspicious activity. This doesn’t mean that casinos must get special software, but it does mean that if electronic data systems are used by the casino, they must be used to the greatest extent possible to find suspicious activity.
 
The same is true for CTR-C filing as well. The process should document individuals conducting transactions just below the CTR-C filing threshold to determine if a pattern of such transactions exists.
 
2) Effective Review of Suspected Suspicious Activity: Relying primarily or solely on employee observation in detecting suspicious activity lacks higher level review and control. This is necessary to ensure that all incidents identified by employees are properly and timely investigated; that proper, consistent filing decisions are made; and to ensure that patterns not readily discernable by individual employees and supervisors are identified.
 
Requiring all employees to fill out a “Suspicious Incident Report” when they identify suspicious activity is a more effective procedure. The form should be filled out as soon as activity is identified by any employee (including those regularly reviewing the materials identified in (1) above). It should be immediately submitted through the employee’s supervisor to the compliance officer and contain a full description of the customer and the suspicious activity.
 
3) Documentation of the Review and Evaluation of Reported Suspicious Activity: As a general rule, if a procedure has not been documented, the IRS audit team will conclude that it did not take place, and if it didn’t happen, that’s a deficiency. Suspicious activity reporting procedures must include high (compliance officer) level review, investigation and evaluation of reported suspicious activity, and the documentation of that process.
 
In addition, opinions differ. An IRS audit team (using classic 20/20 hindsight) may think an incident highly suspicious and subject to SAR-C reporting even though the compliance officer may have reached the opposite conclusion in good faith. To defend itself, the casino must be able to show that an employee’s report was reviewed, and the reasons why a SAR-C was not filed.

The “Suspicious Incident Report” form mentioned above should include a section in which the compliance officer documents the date of review, the documents reviewed, the decision on whether to file a SAR-C, and the reason for that decision. Such a form, together with the inventorying of these reports, presents a full and complete picture of thorough review by the appropriate level of management of every reported incident. Ultimately, the decision on whether a SAR-C is filed should be made by the compliance officer, not an employee’s immediate supervisor.

Periodic Independent (Non-IRS) Testing of the BSA Program

This deficiency usually means that a casino has relied on an internal auditor from the casino staff or Tribal Gaming Commission to conduct the required independent periodic program audit, but the assigned person lacks sufficient BSA training or experience.

Casinos have a choice in avoiding this deficiency. They can have the audit done by internal (non-compliance) persons, or by an outside source. Either way, the program procedures should say how often the independent audit will be conducted, how and by whom the independent auditor will be selected, the criteria to be followed and qualifications of the person or entity selected. Since the audit must be independent of the compliance officer, higher management should be involved in the selection process. If the independent audit is done internally, the persons assigned must be well trained. This is best accomplished through outside BSA training conducted by a professional. Alternatively, there are many outside consultants who specialize in conducting independent BSA audits. If an outside source is used, its BSA credentials should be confirmed and the selection process documented.

BSA Employee Training
 
Most casinos give their employees BSA training, however, they often fail to train all the right people, they are not documenting it adequately and they are not updating their training. The casino’s program must include written procedures for each of these factors.
 
1) Current Employees: An adequate training program cannot be limited only to those employees who handle cash. All personnel who review casino records and information, and all personnel who have substantial customer contact or observation need to receive BSA training, particularly on identifying suspicious activity. Employees who need to receive BSA training include: table captains, pit bosses, surveillance personnel, security personnel, cage employees, finance and accounting staff, slot checkers and hotel staff – in short, anyone who could reasonably be considered to be in a position to identify either reportable cash transactions or suspicious activity. Training for those employees who do not have responsibility for conducting cash transactions should focus on identifying and reporting suspicious activity. Deciding which departments should be trained, or which employees in a particular department should attend training, should not be left to the discretion of department managers.
 
The program procedures must identify who has the overall responsibility to ensure that training is conducted periodically, who is responsible for training content, which employees should be trained, the frequency of the training and the maintenance of training records. Training must be thoroughly documented to show who attended, when it was conducted, the training content and who conducted it. Absent adequate documentation, the IRS audit team will likely conclude that it did not occur or that it was deficient.
 
2) New Employees: Frequently overlooked for training purposes are new hires. Casinos often place new employees in sensitive positions without first giving them BSA training. The IRS audit team will view this as a training deficiency.

In addition to general training procedures, the BSA program should contain specific guidelines for each department regarding when and how to train new employees. New employees should not be assigned to their duties without either first undergoing BSA training, or at least without being accompanied by another adequately trained employee until the new hire has been trained. Like periodic training of employees, the training of new hires must be documented.

Incomplete or Inadequate Compliance Programs
 
Every BSA program needs to address all specifics related to the BSA. Procedures that relate to specific departments can be contained in each department’s standard operating procedure, but should be segregated in a separate Title 31 section and be referenced in the overall program. A missing procedure for any aspect of the BSA can be considered a deficiency.
 
Following unwritten procedures is insufficient. No casino has ever avoided a deficiency finding by demonstrating that it follows a procedure in practice. From the IRS’s viewpoint, if a procedure is not in writing in the program, it does not exist, and a procedure that does not exist is a procedure that is not followed. In short, if it’s not in writing in the program, it’s a deficiency.
 
The total lack of a BSA program is an obvious deficiency. While most casinos do have these programs, the problem is that they are often incomplete or inadequate. What this usually means is that a casino’s compliance program does not include procedures covering all specifics related to the BSA, or the procedures do not address those specifics with sufficient detail. The basic rule is that procedures should specify the who, what, when and how of each procedure.
 
The following specific procedures, which should be included as written parts of the BSA program, are often overlooked:

  • how, when and by whom the program is to be updated, or by whom these changes are to be reviewed and approved
  • updating all employees regarding new procedures even before regularly scheduled training
  • procedures for disciplining employees who fail in their BSA responsibilities; discipline must be consistently applied and the compliance officer should have clear authority to impose it in conjunction with the HR department and the immediate supervisor
  • employee evaluations should include performance of BSA responsibilities
  • the specific appointment of a compliance officer by name, with contact information
  • procedures on who is authorized to disclose SAR-C documentation when there is a law enforcement request and who handles more formal requests for information, such as subpoenas

Conclusion
 
The deficiencies identified above are not all of the deficiencies that an IRS BSA audit team may find. They are, however, the most common ones. In most cases, they can be remedied easily and inexpensively by the casino, and doing this before an IRS BSA audit team requires it is not only easier, but it will result in a faster IRS BSA audit with substantially more satisfactory results. Each casino should keep in mind that the scope of an IRS BSA audit, as well as the frequency, is very much a function of the number of deficiencies found by the IRS BSA audit team.

It’s Best to Be Proactive

A review of current BSA AML policies and procedures can be done by a qualified consulting firm or a qualified law firm. Using a law firm has the advantage of conducting the review under the protection of the attorney-client privilege, thus preserving the law firm’s report from disclosure. Regardless of how a review of the program is done, the key is to find the deficiencies – and correct the deficiencies – before the IRS audit team knocks on the door.



1 The procedures in the casino’s BSA/AML program will be assessed in light of the Risk Assessment. The IRS will specifically expect to see that the casino’s program procedures are geared toward the specific money laundering risks identified in the Risk Assessment. If the IRS determines that the casino’s Risk Assessment is adequate, the IRS audit team will use the casino’s Risk Assessment as its general guide for determining how to focus the audit. If, however, the casino does not have a Risk Assessment, or if the IRS team considers it to be inadequate, the IRS will develop its own money laundering Risk Assessment for the casino, and use that as its guide for the audit process. 

Related Insights