REGULATION GG YOUR NEW OBLIGATIONS TO STOP UNLAWFUL INTERNET GAMBLING BY AMY AVITABLE ASSOCIATE DIRECTOR METAVANTE REGULATORY SERVICES SPRING 2009
Agenda Overview of requirements What is unlawful internet gambling? Who is subject to the requirements? What operations are affected? What new processes are required in your institution? Overview of Requirements Effective January 19, 2009 Mandatory compliance date of December 1, 2009 Required policies and procedures take time to put in place Don t wait until the last minute! Overview of Requirements 1
Overview of Requirements Detailed definitions throughout the regulation General goals of regulators Burden on institutions with: o Internet gambling businesses as customers o Other commercial customers that receive proceeds of unlawful internet gambling Focus compliance requirements on due diligence Institutions are not responsible for catching consumer gamblers What is Unlawful Internet Gambling? Gambling that: Involves the internet in some way Is illegal under federal, state or tribal law No guidance on what is illegal Rely on due diligence procedure examples to meet requirement Who is Subject to the Requirements? Participants in designated payment systems ACH networks Card systems Check collection systems Wire transfer systems Money transmission services to extent that: o Services other than check cashing, currency exchange, or issuance or redemption of instruments and o Allow customers to initiate transactions remotely 2
Who is Subject to the Requirements? Participants include: Operator Financial transaction provider involved with a designated payment system as: o Member (NACHA) o Contracted for financial services (MasterCard/Visa) o Otherwise participating in the system (wire transfers) Excludes customers of the financial transaction provider unless they are also financial transaction providers Exemptions Certain participants in: ACH networks Check collection systems Wire transfer systems Money transmission services If exempt, no additional requirements If not exempt, called non-exempt participant and subject to requirements Most institutions are non-exempt participants Exemptions and Card Systems What is never exempt? Card systems Operators, third-party processors and card issuers covered Cards include debit, credit and stored value cards 3
Exemptions and Card Systems Caution regarding co-branded cards Situation: Your institution issues the cards; cards are branded with another organization s information Your institution processes authorization requests Follow your policies and procedures The co-branded organization processes authorization requests You are responsible for ensuring that they also follow your policies and procedures Exemptions Participants in ACH network exempt unless: Institution is the RDFI for an ACH credit transaction on behalf of the receiver Institution is the ODFI for an ACH debit transaction on behalf of the originator Certain gateway operators and third party processors Bottom line If your customer is the business getting the funds, you are responsible Exemptions Check collection systems All participants exempt except for depositary institution Wire transfer systems All participants exempt except for beneficiary institution Money transmitting businesses All participants exempt except for operator Operator Provides centralized clearing and delivery systems, maintains operational framework 4
What New Processes are Required in Your Institution? Regulation GG policies and procedures Written Reasonably designed to identify and block, or prevent or prohibit, restricted transactions Non-exclusive examples are deemed to be reasonably designed May put different policies and procedures in place for different business lines or areas of the institution What New Processes are Required in Your Institution? Reliance on payment system operator s policies and procedures is allowed Operator should provide a certification, letter or other statement that their policies and procedures are compliant You have to follow their rules to be considered compliant More likely to come up for ACH and card systems 5
Due Diligence Procedures Requirements to be reasonably designed Gather due diligence information Determine if customer presents a minimal risk If customer presents more than a minimal risk, meet documentation requirements Account Opening Due Diligence Procedures Step 1 - Gathering due diligence information Risk-based based on customer s business May consist of simple questions about customer s business Step 2 - Risk rating the customer If minimal risk No more due diligence requirements o Deemed to be minimal risk Regulated financial institutions and organizations regulated by the FTC State and federal governmental entities If not minimal Must meet documentation requirements of Step 3 6
Account Opening Due Diligence Procedures Step 3 Documentation Does the customer engage in any internet gambling business? o If no Customer must provide you with a certification o If yes Institution must get: Evidence of customer s legal authority to engage in internet gambling and Third party certification that customer s systems are reasonably designed to keep internet gambling within legal limits Age verification Location verification Account Opening Due Diligence Procedures Step 3 Documentation When getting evidence of customer s legal authority, must get two things: o Verification that activities are legal - Either: Where customer has a license - Copy of internet gambling license issued by state or tribal authority, or Where customer doesn t have a license Reasoned legal opinion from customer s legal counsel that activity is legal o Written commitment Written commitment from customer to notify financial institution of any change in legal authority Regulation says such as but really means for these to be requirements, not examples Questions? Ask the state or tribe, or have the customer ask 7
Notice to Business Customers Flexibility in providing notice Our recommendation: Mail notice to all existing customers Add to account opening documentation for new accounts Add to wire documentation if you allow wires for noncustomers What Operations are Affected? Not limited to deposit operations but will primarily come up there Check your services for commercial customers! Do you provide any other method to receive funds through: ACH networks Card systems Check collection systems Wire transfer systems 8
Money Transmitting Businesses What to do? Apply your due diligence procedures to your customer No need to apply them to your customer s customer Your customer s responsibilities Must have Regulation GG policies and procedures itself Foreign Correspondent Accounts What to do? Apply account opening due diligence to foreign respondent Apply additional procedures to block, prevent or prohibit restricted transactions if you get actual knowledge of a transaction Due Diligence Procedures When do you have to apply them? Account opening Apply to all commercial customers o Required even if customer already has another account at your institution Existing customers without account opening: o No need to risk rate them o Due diligence documentation procedures apply when you have actual knowledge that customer engaged in internet gambling Provide the notice to all commercial customers Can be provided through mailing, account opening disclosure, or any other method 9
Actual Knowledge When one or more of the following individuals becomes aware of the information: Officer of the institution Person responsible for compliance for that transaction or customer How will you define it? Select employees o Should define the select roles in your procedures o May be the best alternative where institution has some at-risk customers All employees of your institution o May be the easiest options for institutions with no at-risk customers Account Servicing Due Diligence Procedures Triggered where officer or person with compliance responsibility has actual knowledge that a commercial customer has internet gambling business Procedures that apply - Due diligence documentation requirements from account opening procedures Must get: o Evidence of customer s legal authority to engage in internet gambling and o Third party certification that customer s systems are reasonably designed to keep internet gambling within legal limits Age verification Location verification Follow account opening procedures regarding evidence of legal authority 10
Summary of Initial Requirements Account opening Apply due diligence procedures to all commercial customers Account servicing Apply documentation requirements if actual knowledge of gambling activities Notice - Send notice to all commercial customers 11
Procedures for Blocking Transactions Different sample procedures for each designated payment system Card systems Use: Due diligence procedures or Code system Must follow requirements, get written statement of compliance Procedures for Blocking Transactions General rule Must have actual knowledge of restricted transaction for additional procedures to apply Exception for card systems Additional procedures for ACH systems: Step 1 Institution receives actual knowledge of restricted transaction Step 2 Reject the transaction if possible Step 3 Deal with the customer o Limit customer s ACH capabilities o Close the account Additional procedures required for gateway operators and third party processors with transactions from foreign senders 12
Procedures for Blocking Transactions Additional procedures for check collection systems: Step 1 Check from restricted transaction is deposited Step 2 Institution receives actual knowledge of restricted transaction Step 3 Deal with the customer o Limit customer s ability to deposit checks o Close the account Receipt of checks sent for collection from foreign banking office If notified by federal government that check involved restricted transaction, have procedures to notify the foreign banking office Model language in regulation Procedures for Blocking Transactions Additional procedures for wire transfer systems: Step 1 Customer receives wire transfer Step 2 Institution receives actual knowledge of restricted transaction Step 3 Deal with the customer o Limit customer s ability to receive wire transfers o Close the account Procedures for money transmitting business customers Apply due diligence procedures Procedures for Blocking Transactions Requirements reflect reality Mitigate risk upfront through due diligence Deal with aftermath through procedures that apply when you have actual knowledge that a transaction has occurred Where transactions are caught during processing, must reject or block transaction Block means reject transaction and return funds No other blocking of funds required o No need to restrict other funds in commercial customer s accounts o Receiver of returned funds should make funds available to their customer Remember Always file a SAR! 13
Items To Do By December 1, 2009 Determine how to meet the notice requirement to commercial customers Mailing or other notice to existing customers New language in contract, account opening notice or other notification for new accounts Add due diligence requirements to account opening procedures Add documentation procedures for when institution receives actual knowledge that a commercial customer is engaging in internet gambling Add procedures for blocking restricted transactions Contact your card systems to determine if you can rely on their procedures Train staff 14