The Financial Crimes Enforcement Network (FinCEN) has recently issued the final rule implementing the access and safeguard provisions of the Corporate Transparency Act (CTA), known as the "Access Rule", which represents a significant regulatory shift for gaming industry and compliance officers. This rule outlines the circumstances under which beneficial ownership information (BOI) reported to FinCEN can be disclosed to authorized recipients and establishes measures to protect the sensitive nature of this information, a critical aspect for the gaming industry known for its stringent data protection standards.

Background and Regulatory Context

The Access Rule, central to data protection in gaming compliance, is a result of the CTA, setting the framework for handling BOI with an emphasis on confidentiality and limiting disclosure. FinCEN is authorized to disclose BOI to six categories of recipients: U.S. Federal agencies engaged in national security, intelligence, or law enforcement; State, local, and Tribal law enforcement agencies with court authorization; foreign law enforcement agencies, judges, prosecutors, and other authorities meeting specific criteria; financial institutions with customer due diligence (CDD) requirements; federal functional regulators and other appropriate regulatory agencies; and U.S. Department of the Treasury officers and employees. Each authorized category is subject to security and confidentiality protocols aligned with applicable access and use provisions.

Initially, the Access Rule only applied to institutions covered under the 2016 Customer Due Diligence Rule. However, the revised understanding of institutions with “customer due diligence requirements under applicable law” allows the opportunity for MSBs, Casinos and other covered financial institutions the ability to use the BOI database.

Security and Confidentiality Requirements

Access to BOI, a critical element in data protection in gaming compliance, is subject to rigorous security and confidentiality requirements as outlined in the CTA and the Access Rule. Domestic agencies must establish and adhere to standards and procedures, enter into agreements with FinCEN, maintain secure systems, audit BOI request records, restrict access, and provide reports and certifications to FinCEN.

Financial institutions obtaining BOI must implement administrative, technical, and physical safeguards, using similar procedures as those for protecting customers' nonpublic personal information under the Gramm-Leach-Bliley Act. Foreign requesters, under international treaties, agreements, or conventions, must comply with handling, disclosure, and use requirements, while those from "trusted foreign countries" must establish their own security measures. Re-disclosure of BOI information is strictly prohibited except in specifically outlined circumstances in the Access Rule.

Implementation of BOI Access Timeline

FinCEN will implement a phased approach to providing access to the BOI IT system. A pilot program for key Federal agency users is scheduled for 2024, followed by extending access to Treasury offices and certain Federal agencies. Subsequent stages will include additional Federal agencies, State, local, and Tribal law enforcement, intermediary Federal agencies for foreign government requests, and finally, financial institutions and their supervisors.

Although Casinos are a part of the broadened category of institutions post revisions, they will not be prioritized in being given access to the database. FinCEN “intends to provide access as an initial matter to financial institutions that are covered financial institutions under the 2016 CDD Rule.” Thus, casinos and MSBs may not see access to the database for quite some time.  

The Reality for Gaming Institutions

Short-Term Impact  

There is little impact to gaming institutions in the near future. Assuming there are no delays for the six categories of organizations receiving access to the database, there is still likely more than a year of waiting for FinCEN to give casinos access. The way the rule reads, access to casinos and MSBs isn’t guaranteed either. They note that they will work “to further evaluate whether it is appropriate and feasible to expand access to other financial institutions, such as MSBs or casinos, after an initial implementation period.”

Mid-Term Impact

In terms of data protection in gaming compliance, if and when access is granted to the database, there remains a significant hurdle to effectively using the database. FinCEN requires that institutions receive consent of the reporting entity before they are allowed to make an access request.  

“Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section.”

While banks and more traditional financial institutions may have the ability to add something to their terms & conditions or as part of account sign-up, this requirement makes the database largely unusable for most casinos. While the consent can be tied to front money, credit or online accounts, cash customers are likely never going to be in a situation where they would sign an attestation consenting to such an invasive request.

For igaming institutions and casinos with large credit customer populations, the database can become an incredibly useful investigation tool for enhanced due diligence on high net-worth and high-risk individuals.  However, questions remain on ease of access, whether or not connections to the database can be automated,  and how rapid FinCEN’s response times will be if request is on a one-by-one basis.

Long-Term Impact

The overall impact on gaming institutions remains a bit unknown. Unless updates coming to the CDD Rule sneak casinos in as covered institutions, it is unlikely to have a sweeping impact on the industry. The public intent of the updates is to bring the CDD Rule in line with the various implemented segments of the Corporate Transparency Act. However, until proposed rulemaking is published, it’s unclear what the updates to the CDD Rule will contain. Additionally, it’s unclear whether FinCEN’s evaluation of MSBs, Casinos and other institutions will institute any additional requirements for database access.  

There will be plenty of lessons learned as government, law enforcement and institutions subject to the CDD rule gain access to the database and begin to use and comment on it in the year to come. We’re likely multiple years away from a useful, accessible database.  

While the short-term impact on data protection and gaming under the Access rule may be minimal, the potential for significant mid to long-term effects cannot be understated. Casinos and other financial institutions must remain vigilant and proactive in adapting to these changes.

ABOUT KINECTIFY

Kinectify is an AML risk management technology company serving gaming operators both in the US and Canada. Our modern AML platform seamlessly integrates all of the organization's data into a single view and workflow empowering gaming companies to efficiently manage risk across their enterprise. In addition, Kinectify's advisory services enhance gaming operators' capacity with industry experts who can design and test programs, meet compliance deadlines, and even provide outsource services for the day-to-day administration of compliance programs.

To learn more about Kinectify and book a demo, click here.