For Payment Processors: A Compliance Plan That Even Banks and Credit-Card Networks Will Love

By: Jeffrey Hamlin

A little more than two years ago, the U.S. Supreme Court issued its decision in Murphy v. National Collegiate Athletic Association, striking down federal limits on the expansion of sports betting. Since then, a number of states have legalized sports betting—Colorado, Illinois, Indiana, New Jersey, Pennsylvania, Tennessee, and West Virginia, to name a few. Indeed, many states now permit sports betting at brick-and-mortar establishments as well as through mobile applications and the Internet. Many other states likely will follow suit.

As the U.S. sports betting market is expanding, so too is the market for other forms of gambling, such as casino games. Naturally, gaming operators have been preparing to take advantage of these growth opportunities. As they expand to new states, industries that serve the gambling space will too. States that have legalized sports betting and other types of gambling are seeing increased economic activity in certain industries, such as the provision and maintenance of server farms, software development, and payment processing or payment services, for example. Although banks used to view gaming-related payment processors with a jaundiced eye, many have warmed to processors who handle gaming transactions so long as they have a robust compliance plan in place. Which raises a question: what kind of compliance plan must a payment processor have in order to satisfy the banks and credit-card networks?

Before answering, we should provide context for the banks’ and card networks’ standards, which derive mostly from the Bank Secrecy Act and related regulations. The Currency and Foreign Transactions Reporting Act of 1970, as amended by the USA Patriot Act of 2001 and other legislation comprise the Bank Secrecy Act (the “BSA” or “Act”), which establishes requirements for record keeping and reporting by individuals, banks, and other financial institutions. The BSA gives the Treasury Secretary authority to impose record keeping and reporting requirements to aid the enforcement of anti-money laundering and terrorist financing laws. The Secretary, in turn, has delegated authority to the Director of the Financial Crimes Enforcement Network (“FinCEN”) to implement, administer and enforce the BSA and related regulations. In essence, FinCEN’s regulations require financial institutions to create and implement anti-money laundering (“AML”) programs with core elements, including (i) customer identification and verification, (ii) identification and verification of beneficial owners, (iii) development of a risk profile for each customer, (iv) ongoing reporting for suspicious transactions, and (v) maintaining and updating customer information, as needed given the customer’s risk profile. In addition, the Federal Reserve Board has issued a regulation, Regulation GG, which prohibits businesses involved in the gambling industry from accepting third-party payments for gambling activities, i.e., “restricted transactions,” unless the business has policies for monitoring, identifying, preventing, and prohibiting restricted transactions. We discuss below the main components of an effective compliance program—customer identification, verification and due diligence—and show how they relate to each of the required elements listed above.

Customer Identification                                                                                                                            Payment processors that wish to process gambling transactions must have and enforce a compliance plan that requires identification and verification of each gaming operator the payment processor onboards. In other words, the payment processor must have a policy to get the operator’s full name and, if that person is an individual, the person’s date of birth, address, government-issued photo ID, identification number (such as a Tax ID or passport number), and banking references. If the operator is a business, the payment processor must require the operator’s principal place of business, local office, or other physical address; all incorporation documents; and banking references. If the business is a private company, the compliance plan must provide for identification and verification of all directors, shareholders, and beneficial owners.

Customer Verification
The payment processor’s compliance plan must also provide for immediate verification of the identification information described above. Verification may be accomplished through various means, including contacting the operator to verify the information received, independently verifying the information through a consumer reporting agency or public database, checking references from the person’s financial institutions, or obtaining a recent statement corroborating the information provided, such as the person’s home address.

Customer Due Diligence – Onboarding
The third requirement for an acceptable compliance plan requires policies and procedures ensuring that the payment processor gets a general overview of the operator’s business, associated risks, and proof of the person’s authority under applicable state law to operate a gaming-related business. For the general overview, the payment processor could require (i) identification of the operator’s websites addresses and mobile applications related to its gaming business, (ii) sources of operator funding, (iii) information about the specific games involved, (iv) a list of all jurisdictions in which the games are offered, (v) a statement as to how the operator wants to use the payment services, (vi) links to or copies of the operator’s terms of service, and (vi) contact information for the individual who will be the operator’s point of contact with the payment processor.

The payment processor should also obtain proof that the operator is authorized under state law to provide gaming-related goods or services.  Such authorization could be proved with a copy of the operator’s gaming license, registration, or no-action letter for every type of gaming the operator offers. Moreover, the payment processor should obtain a copy of the operator’s Anti-Money Laundering and Counter-Terrorism Financing (“AML/CTF”) policies, and written certification that the operator will provide notice of any changes to its legal authority to provide gaming-related goods or services. Finally, the payment processor’s compliance plan should provide for third-party verification that the operator’s systems are reasonably designed to ensure it will operate within lawful limits. At least two third-party verifications are warranted. First, the payment processor should get valid certification by a State laboratory or State-approved supplier that the operator’s gaming products meet applicable specifications and standards. Second, the payment processor should get the operator’s certification that it employs a State-approved supplier to implement all age verification and geo-location controls.

In addition to the foregoing requirements, the payment processor should also inquire whether the operator needs a money transmitter license (“MTL”) in any of the jurisdictions in which the operator’s games are offered and, if so, request a copy of the MTL. The compliance plan should also require the payment processor to ask whether the operator must register with FinCEN as a money services business. All names provided by the operator during the application and onboarding process must be checked against compliance databases, such as the Specially Designated Nationals and Blocked Persons list and reputable databases for identifying Politically Exposed Persons (“PEP”).

Customer Due Diligence – Ongoing
The compliance plan must not only provide policies and procedures for onboarding, but also for ongoing due diligence of operators who are existing clients. Robust compliance plans will provide for some type of periodic review, based on the payment processor’s risk profile for that operator or the customer group to which the operator is assigned. The purpose of the periodic review is to ensure that the operator’s due diligence materials (such as gaming licenses) are valid and up to date, ensure that the operator is implementing the AML/CTF policy it provided during the application process, and test the findings of any audit concerning implementation of the policy.

A compliance plan that covers all of the foregoing areas will likely be considered robust enough for the payment processor’s bank because it requires reasonable efforts to identify and verify the identity of the operator and operator’s beneficial owners and provides for initial and ongoing customer due diligence. Payment processors who want to do business in the gaming sector will do well to adopt a compliance plan that covers each of these components thoroughly.