Articles & E-Books


Tribal casino compliance and regulations are changing. What it means for you.

Mar 19, 2021
By: Grant Eve

Cybersecurity and Title 31/AML best practices are an always-moving target.

Recent changes in the way casinos do business — working remotely and contracting with more third-party vendors — have changed how regulators and compliance teams conduct their critical work. Yet the ongoing disruption over the past year has made it harder to focus on tribal casino compliance and regulations.

Whether it’s a result of the new ways tribal casinos operate or changing laws and regulations, staying informed with accurate information is a crucial part of casino compliance. Knowing the latest issues and the new recommendations is key for ensuring continued casino success.

Cybersecurity concerns

Cybersecurity has been a top concern over the past year. Some casino staff transitioned to working remotely where possible, requiring greater reliance on third-party vendors to keep operations running smoothly.

Casino leaders had good reason to prioritize cybersecurity. Several major breaches occurred in 2020, and some infiltrations forced casinos to shut down. Because casinos handle large quantities of revenue and manage sensitive customer data like credit card information, they are a desirable target for cybercrime.

Here are some of the ways tribal casinos can protect themselves from cyberattacks:

  • Request a SOC report: A systems and organization controls report (SOC) from a third-party business solutions provider will help you verify best practices.
  • Adopt an MDR solution: A managed detection and response (MDR) solution uses machine learning and artificial intelligence to look for indications of compromise. For example, MDR solutions can detect actions like someone attempting to log in to a user account or gain access to a database.
  • Enable multi-factor authentication: Regulators should ensure that multi-factor authentication is built into all of their programs and provide consistent and updated training.
  • Hire an expert: A chief security officer is dedicated to preventing cyberattacks. If it doesn’t make sense to hire an internal CSO, consider outsourcing for consultation.

While no single cyber-solution can guarantee your casino will remain protected from cyberattacks, adding these steps to build a strong compliance program can help mitigate risk. 

Title 31/AML compliance evolution

During his keynote speech at the September 2020 Association of Certified Anti-Money Laundering Specialists conference, Kenneth Blanco, director of the Financial Crimes Enforcement Network (FinCEN), discussed how new technologies will impact financial crime detection. For casinos, the emphasis is particularly on sports betting and mobile gaming.

The number of states adopting sports betting and mobile gaming continues to rise, creating new revenue opportunities for casinos. But with every new service or offering, casino compliance teams must ensure they’re meeting regulations. Fortunately, sports betting has been legal outside the United States for decades, offering regulators an opportunity to see what’s worked elsewhere. 

The Code of Federal Register §1021.210 outlines what measures casino compliance programs need to have at a minimum to satisfy AML regulations. One notable aspect is the procedures for using all available information to determine “the name, address, social security number, and other information, and verification of the same, of a person.” While this regulation is broad and leaves room for interpretation, FinCEN has mentioned it in every speech and enforcement action in the last several years as it relates to sports betting.

Each of the following controls can help determine “all available information” as recommended by FinCEN.

  • Patterns of transactions
  • Structuring
  • Know-your-customer (KYC)
  • Cyber-related incidents

Consider building these items into your sports betting or mobile gaming applications for detection.

Proposed changes to AML regulations

In September 2020, FinCEN issued an advanced notice of proposed rulemaking (ANPRM) titled “Anti-Money Laundering Program Effectiveness.” FinCEN invited AML stakeholders to provide comments on their proposal to reshape the US Bank Secrecy Act/AML regulations.

Under the ANPRM, there would be three factors under the proposed definition of an “effective and reasonably designed” AML program:

  1. The program identifies, assesses and reasonably mitigates the risks resulting from illicit financial activity.
  2. The program assures and monitors compliance with the recordkeeping and reporting requirements of the Bank Secrecy Act.
  3. The program provides information with a high degree of usefulness to government authorities consistent with both the institution's risk assessment and the risks communicated by relevant government authorities as national AML priorities.

The amendments would ultimately provide casinos with greater flexibility and efficiency with more effective outcomes. The change would also benefit casinos by allowing them to create an AML compliance program that best matches the level of risk at the facility.

How Wipfli can help

When it comes to tribal casino regulations and compliance, experience counts. Wipfli offers compliance consulting in multiple capacities related to information technology and Title 31/AML.

To learn more or to request a customized risk assessment, contact the team at Wipfli.

Sign up to receive additional tribal gaming information in your inbox, or learn more with these resources:


Grant Eve, CPA, CFE
View Profile
Future. Accelerated.
See how our focus on the future helped our clients and strengthened our firm.
Learn more