Update 1 – 12/5/2011 to add examination procedures*.
Update 2 – 2/13/2012 to emphasize policy requirements.
Update 3 – 10/8/2012 to add specific courses of action if the FI has “actual knowledge” of restricted transactions.
We first saw this trend back in July 2011, and continue to see it, so I’m calling this a definite trend as opposed to an anomaly. Here is the background: The Unlawful Internet Gambling Enforcement Act of 2006 (“UIGEA”) prohibits any person, including a business, engaged in the business of betting or wagering from knowingly accepting payments in connection with the participation of another person in unlawful Internet gambling. As a result, the Agencies (FDIC, OCC, NCUA, Federal Reserve) issued Reg GG, requiring financial institutions to establish policies and procedures “reasonably designed to identify and block, or otherwise prevent or prohibit, restricted (gambling) transactions” with compliance required as of June 1, 2010.
Most institutions have measures built in to their account opening procedures by their core vendor to comply with this Reg, but the recent examination findings seem to address the lack of a specific UIGEA policy. This would indicate that procedures alone may not be enough to demonstrate compliance anymore (i.e., “we’re doing it even though we don’t say we are” isn’t enough). So what are you supposed to do? Make sure you have a specific written UIGEA policy, and that it is designed to address the following:
- Don’t assume that just because you have no (or a few) commercial customers you aren’t required to have a policy. The implementation burden is lessened, but a policy is still required.
- Designate a person responsible for UIGEA compliance (this was a specific finding in one of the recent examinations).
- Focus on establishing a due diligence process when initiating a commercial customer relationship.
- Communicate to your commercial customers contractually up front (and periodically throughout the relationship) that restricted transactions are prohibited. Your policy should state that the commercial customer agrees to not originate or receive restricted transactions throughout the customer relationship. If the risk warrants, a certification from the customer is recommended.
- Your due diligence obligations do not end once the account is opened.
- Specify a specific course of action to be followed in case you have “actual knowledge” that a customer has violated the policy. For example:
- Perform an account review
- Suspend activity on the account
- Contact the customer
- Contact legal counsel (if appropriate)
- Close the account
- File a SAR, if warranted
- Contact regulatory authorities
- Contact law enforcement
- If cooperating with law enforcement, and so advised by same, continue processing
There are additional regulatory expectations if you actually have customers that are legally allowed to engage in an Internet gambling business, i.e. through U.S. State or Tribal authority. In fact when I started getting reports of UIGEA policy deficiencies, my first thought was that all the institutions may have had that common denominator…they had customers legally engaging in Internet gambling. That was not the case, however. It would appear that this is just the latest regulatory “hot button”.
* Download Full Act, examination procedures in Attachment C