Introduction
This checklist will assist in-house counsel, private practitioners, and compliance and contract management personnel who are responsible for licensing and legal compliance in an organization that participates in commercial gambling, with legal risk management and operational compliance. This checklist addresses the complicated legal and regulatory framework at the federal, state, and local levels.
The checklist is presented as a list of requirements that you can check off as they are addressed. At the end of the document, there are explanatory notes corresponding to each requirement in the checklist.
This checklist addresses the following steps:
- Understanding your jurisdiction
- Business registration and financial stability
- Technical standards
- Player verifications and interactions
- Anti-money laundering and fraud prevention
- Ongoing compliance
The checklist can be used in conjunction with the following: Quick view: The regulation of remote gambling and Quick view: Tribal gaming versus non-tribal gaming.
Step 1 – Understanding your jurisdiction
| No. | Understanding your jurisdiction |
| 1.1 | Identify the exact geographic location where you intend to operate |
| 1.2 | Confirm whether commercial gambling is legal in your jurisdiction |
| 1.3 | Obtain and review all relevant laws and regulations in your jurisdiction |
Step 2 – Business registration and financial stability
| No. | Business registration and financial stability |
| 2.1 | Register your business entity with the appropriate authority in your jurisdiction |
| 2.2 | Secure all required licenses and registrations |
| 2.3 | Prepare for background checks and financial vetting |
| 2.4 | Obtain all necessary business insurance |
Step 3 – Technical standards
| No. | Technical standards |
| 3.1 | Understand requirements for game testing and certification |
| 3.2 | Ensure methods for secure data transmission |
Step 4 – Player verifications and interactions
| No. | Player verifications and interactions |
| 4.1 | Implement player verification procedures |
| 4.2 | Implement responsible gaming measures |
Step 5 – Anti-money laundering and fraud prevention
| No. | Anti-money laundering and fraud prevention |
| 5.1 | Appoint a Bank Secrecy Act (BSA) compliance officer |
| 5.2 | Ensure compliance with applicable federal AML laws |
Step 6 – Ongoing compliance
| No. | Ongoing compliance |
| 6.1 | Establish recordkeeping policies |
| 6.2 | Establish a system to track all filing and reporting deadlines |
| 6.3 | Ongoing preparedness for audits/inspections |
Step 1 – Understanding your jurisdiction
1.1 Identify the exact geographic location where you intend to operate
Federal, state, and local gambling laws require potential operators to identify the specific locations where they intend to operate. Operators should include the state, county, and city. Different jurisdictions in the same state may have different rules. For example, although there are Indian casinos operating in New York State, plans to build casinos in Manhattan and Brooklyn were rejected by local advisory committees.
1.2 Confirm whether commercial gambling is legal in your jurisdiction
In the United States, states are the primary source of gambling laws and regulations. State laws vary significantly. For example, in many states, casinos are restricted to Native American lands and are owned and operated by tribes. Non-tribal casinos are permitted in 21 states.
As of September 2025, only a small number of states have fully legalized both online sports betting and online casino games. Those states are Connecticut, Delaware, Michigan, New Jersey, Pennsylvania, Rhode Island, and Virginia. A much larger number of states permit online sports betting, including Arizona, Colorado, Illinois, and New York.
Two states, Hawaii and Utah, prohibit nearly all forms of gambling, including remote gambling.
1.3 Obtain and review all relevant laws and regulations in your jurisdiction
1.3.1 State-level laws and regulations
The legality and regulation of gambling varies widely throughout the United States. As set out in Section 1.2, states are the primary source for laws and regulations related to gambling. State laws vary significantly.
In many states, such as Arizona and California, casinos are confined to Native American reservations, and private casinos are not allowed. As at October 2025, non-tribal, land-based casinos are permitted in 21 states: Arkansas, Colorado, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Nevada, New Jersey, New York, Ohio, Pennsylvania, Rhode Island, South Dakota, Virginia and West Virginia. Six other states: Illinois, Indiana, Iowa, Louisiana, Mississippi, and Missouri allow riverboat casinos.
In 2018, in the case of Murphy v National Collegiate Athletic Association 584 U.S 453 (2018), the United States Supreme Court struck down the Professional and Amateur Sports Protection Act of 1992, which had banned sports betting nationwide. Following the Court’s ruling in Murphy, individual states were permitted to decide on legalization of sports betting within their jurisdictions.
As of September 2025, only a small number of states have fully legalized both online sports betting and online casino games. Those states are Connecticut, Delaware, Michigan, New Jersey, Pennsylvania, Rhode Island, and Virginia. A much larger number of states permit online sports betting, including Arizona, Colorado, Illinois, and New York.
Where gambling is legal, states have established gaming regulatory commissions or departments that approve licenses, regulate games and equipment, and conduct oversight of gaming operators.
In states where remote gambling is legal, online operators must use geolocation or geofencing technology to verify that a user is physically located within state borders before allowing them to place a wager. This helps to prevent illegal out-of-state betting.
1.3.2 County and city regulations
County and city regulations for casinos focus primarily on land use, public safety, and specific operational controls. While state and tribal authorities handle broader licensing and gaming regulations, local governments address the casino’s impact on the surrounding community. Examples include noise ordinances, law enforcement, land use and zoning, and crowd control.
1.3.3 Identify which agencies regulate gambling in the jurisdiction
All states in which gambling is legal have established a gaming board, bureau, or commission to regulate gaming within the jurisdiction. The agency or commission issues licenses, oversees gaming operations, and enforces rules and regulations. State-level boards or commissions include the Nevada Gaming Control Board, Pennsylvania Gaming Control Board, Arizona Department of Gaming, and New Jersey Casino Control Commission. These state-level authorities are the primary enforcers of licensing and compliance obligations, and are also responsible for overseeing any tribal-state gaming compact. Every jurisdiction that allows gambling requires operators to hold a license for each specific type of gaming offered. For example, an operator may need an online sports betting license, or an online poker license in some states.
The National Indian Gaming Commission (NIGC) is the only federal agency dedicated solely to gambling regulation. It only oversees gaming on Native American lands and is responsible for ensuring that casinos on those lands comply with the Indian Gaming Regulatory Act (IGRA).
1.3.4 Federal laws
Unlawful Internet Gambling Enforcement Act
The most significant federal law that addresses online gaming is the Unlawful Internet Gambling Enforcement Act of 2006 (UIGEA). The UIGEA is not a prohibition against online gambling, but gambling businesses are barred from knowingly accepting payments made in connection with internet gambling that is unlawful under either state or federal law.
Illegal Gambling Business Act
The Illegal Gambling Businesses Act (IGBA) criminalizes certain large-scale illegal gambling operations. Because states determine the extent of legal gambling within their respective jurisdictions, a business is subject to the IGBA if it is in violation of the gambling laws of the state or local political subdivision where it is conducted. The IGBA covers businesses with five or more persons who either own, manage, finance, or direct the operations, and the business must have been in substantially continuous operations for more than 30 days or have had a gross revenue of $2,000 or more in any single day. Penalties under the IGBA include up to five years in prison and substantial fines. A violation of the IGBA can also trigger charges under other federal statutes, such as the Racketeer Influenced and Corrupt Organizations (RICO) Act and the Travel Act.
Interstate Wire Act
The Interstate Wire Act of 1961, often referred to as the Federal Wire Act, prohibits using “wire communication facilities” to transmit bets or wagers on any sporting event or contest across state lines or to a foreign country. In 2021, in New Hampshire Lottery Commission v Rosen, 986 F.3d 38 (2021), the US Court of Appeals for the First Circuit ruled that the Federal Wire Act applies only to interstate sports gambling. That ruling followed a period of uncertainty following conflicting Department of Justice (DOJ) opinions from 2011 and 2018. Penalties for violations of the Federal Wire Act include up to two years’ imprisonment and significant fines.
Indian Gaming Regulatory Act
The Indian Gaming Regulatory Act (IGRA) of 1988 provided a legal mechanism for the federal government to regulate gaming on sovereign Native American lands. The IGRA also established the National Indian Gaming Commission (NIGC), a federal regulatory agency within the Department of the Interior, that monitors tribal gaming, approves tribal gaming ordinances and management contracts, and enforces the IGRA. The IGRA classifies gaming into three categories, each with its own regulatory structure:
- Class I gaming: Includes traditional Indian games played as part of tribal ceremonies and social games with minimal prizes. This class is regulated exclusively by the tribal government and is not subject to IGRA’s requirements.
- Class II gaming: Covers bingo (including electronic aids) and certain non-banked card games (where players compete against each other, not the house). Class II is regulated by tribes with oversight from the National Indian Gaming Commission (NIGC).
- Class III gaming: Includes all other forms of gaming, such as casino games (slot machines, blackjack), horse racing, and other banked card games. This is the most heavily regulated class and requires a tribal-state compact. The compacts define the specific types of games permitted, the degree of regulatory oversight, and revenue sharing. All tribal-state compacts must be approved by the Secretary of the Interior.
Step 2 – Business registration and financial stability
Obtaining a business registration and proving financial stability are among the first steps in operating a gambling operation.
2.1 Register your business entity with the appropriate authority in your jurisdiction
2.1.1 Decide on the appropriate business entity
Choosing the appropriate business entity is a critical step when starting any business, including one as a gambling operator, as it affects legal liability, tax obligations, management structure, and the ability to raise capital. The most common types of business entities include sole proprietorships, partnerships, limited liability companies (LLCs), and corporations. Each option has its own advantages and limitations, so the right choice depends on the business goals, risk tolerance, ownership structure, and long-term plans.
For large commercial casinos, the most common business entity is a corporation, often a publicly traded one. Many of the world’s largest casinos are owned by major publicly traded corporations. This structure allows these companies to raise significant capital by selling shares on the stock market.
2.1.2 Choose a business name
Choosing a good business name is essential for attracting customers and building brand identity. A strong name should be catchy and easy to pronounce. It’s important to ensure the name is unique, not already in use, and legally available for trademark and web domain registration. Most states have an online platform that allows the public to search for a business name to determine its availability.
2.1.3 Determine filing requirements and fees
When registering a business entity with a state, the process typically involves filing formation documents—such as Articles of Incorporation (for corporations) or Articles of Organization (for LLCs)—with the Secretary of State or a similar state agency. Fees for filing an entity vary widely according to state and entity type, but generally range from $50 to $500 for initial filings, with ongoing annual report fees required to remain in good standing. It is important to check the state’s specific form and fee requirements to avoid rejection of a business entity registration.
2.1.4 File all appropriate documents
After gathering all the necessary documentation, file the information with the appropriate entity. Nearly all states have an online filing system on the Secretary of State or Corporation Commission website. Some businesses prefer to use a third-party incorporation service to manage the process. After filing, the state should send an acknowledgment or some other proof that the filing was successful. That acknowledgment needs to be retained pursuant to a record retention policy. See Section 6.
2.2 Secure all required licenses and registrations
Licenses are required for all types of gambling operations. These licenses must be obtained and be in place prior to conducting any gambling activities.
2.2.1 Gambling-specific licenses
Land-based casino licenses
For physical “brick and mortar” casinos, licenses are required. The licensing process is lengthy and entails a detailed investigation of the proposed operator. For example, to open a physical casino in Nevada, an entity must obtain a non-restricted gaming license. The application process involves providing certified copies of organizational documents, information on all owners, officers, directors, and key executives, an explanation of all outstanding securities, annual reports from the previous three years, a financial history, and a business plan.
Specific remote gambling licenses
Many jurisdictions require operators to hold a specific remote gambling license for each type of remote gaming offered. For example, an operator may need an online sports betting license or online poker license in states such as New Jersey and Nevada. Other licenses may include licenses for software providers, premises licenses, licenses for payment processors, and licenses for key employees and other casino personnel.
For further information, see Quickview: Everything you need to know about the regulation of remote gambling.
Renewal of gambling-specific licenses
Gambling licenses expire after a certain period, so they must be renewed to remain valid. The exact renewal period, and the process and criteria for renewal, depend on the jurisdiction, the type of license, and the type of gaming activity that has been licensed. The same state regulatory board or commission as the one that originally issued the license will handle the renewal.
Transfer of ownership
Gambling licenses are, as a general rule, not transferable due to the extensive qualifications that licensees must possess. Gambling licenses therefore cannot be bought or sold like other business assets. The license is tied to a specific individual or entity. Transfers can occur only under very limited, specific circumstances and always require approval from the relevant gaming regulator. Examples include business mergers and acquisitions and business restructuring, and death of a licensee. Licenses cannot be transferred from one state to another.
2.2.2 Local and business operations license
In addition to gambling-specific licenses, a general license to operate a business within the jurisdiction is required. Land-based casinos will need to obtain approval from the local planning and building department to ensure the proposed use is zoned appropriately for a casino. Local licenses permitting the collection and remittance of local sales tax are also required.
Land-based casinos often include restaurants, bars, hotels, or entertainment venues. A gambling operator that has any other ancillary services must also obtain permits for those services, including liquor licenses and health department permits.
2.2.3 Federal registration for gambling devices
There is no federal gambling license in the United States. The Federal Gambling Devices Act, also known as the Johnson Act, does require that businesses that manufacture, sell, lease, or repair gambling devices register with the DOJ. Businesses covered by the Act must keep detailed records of all gambling devices they acquire, possess, or transport.
2.3 Prepare for background checks and financial vetting
Most jurisdictions require some variation of a test that ensures the suitability of gambling license applicants.
2.3.1 Suitability test for business entity
The suitability test for a business entity is sometimes referred to as a fit-and-proper test. The process is intense as the goal is to ensure that the owners and operators are financially and morally suitable. Each jurisdiction has established the documents required; all jurisdictions require information related to the good character, fitness, and financial stability of the applicant. Examples of documents required are master wagering licenses; federal tax ID; a description of the business, names, contact information, and dates of birth of owners and key employees; and financial statements. For an example of a suitability test, see Connecticut’s Online Gaming Service Provider Requirements.
2.3.2 Suitability for key personnel and investors
Suitability tests are also required for directors, key executives, and major shareholders to ensure suitability and relevant experience. Those individuals must undergo background checks, provide identifying documents, such as a government-issued photo ID and Social Security card, and provide certifications from gambling regulators. Most jurisdictions also require applicants to be fingerprinted. For an example of requirements for personnel and investors, see Michigan Gaming Control and Revenue Act Section 432.208.
2.4 Obtain all necessary business insurance
Obtaining and maintaining adequate insurance is essential for any gambling operation. Most jurisdictions require it, and it protects a business from unexpected financial losses. While gambling businesses are required or advised to carry the same types of insurance as any other business (eg, workers’ compensation, general liability), there are certain coverages that are especially important for gambling operations.
Professional liability insurance
Professional liability insurance, or errors and omissions (E&O) insurance, is essential due to the unique industry risks that gambling operators face. Professional liability insurance covers intangible risks related to payout disputes, regulatory compliance, and cyber threats for online operators.
Cyber liability insurance
Cyber liability insurance covers businesses for losses and legal costs from cyberattacks and data breaches. Coverage can include both first-party costs such as forensic investigations, data restoration, notification expenses, and lost income, as well as third-party liabilities such as lawsuits and regulatory fines related to failing to protect customer data.
Gaming equipment insurance
Gaming equipment insurance provides specialized protection for a casino’s valuable electronic and mechanical assets, such as slot machines, table games, as well as the associated technology. Coverage may extend to damage from vandalism or theft, and mechanical breakdowns.
Crime insurance
Crime insurance is a specialized insurance that protects gaming operators and establishments from financial losses due to criminal acts, including employee dishonesty, theft, and fraud. Due to the large amounts of cash handled by physical casinos, the coverage is critical.
Regulatory and license protection insurance
Regulatory and license protection insurance includes financial and legal support to help operators with complex licensing and regulatory compliance. These policies may cover costs associated with investigations, audits, penalties, and potential license suspension.
Step 3 – Technical standards
Gaming involves complicated machinery and games. Regulations require that all gaming equipment, including slots, table equipment, and online platforms, meet certain technical standards and be tested and certified by an independent testing laboratory (ITL) before installation or use. Many gaming labs use standards from Gaming Laboratories International (GLI). The purpose of the testing is to ensure game fairness, payout accuracy, and compliance with jurisdictional rules.
3.1 Understand requirements for game testing and certification
An ITL will test many different technical standards related to fairness and security. Below is a summary of some of the most commonly tested components.
Random Number Generator (RNG) testing
A Random Number Generator (RNG) is a computer algorithm that generates a sequence of random symbols or numbers that is essential to any game of chance. An ITL will test that the RNG truly produces statistically random results. RNGs are used in a wide variety of games including slot machines, blackjack, lotteries, and bingo.
Return to Player (RTP) verification
Return to Player (RTP) is the percentage of wagered money a game will pay back to players over time. An ITL will certify that the actual payouts match the manufacturer’s theoretical RTP percentage.
Game rules and pay-table disclosures
An ITL will verify that the game’s software correctly follows all specified game rules, pay tables, and instructions. A pay table must be displayed on the device advising the player of the odds, winning combinations, minimum and maximum bets allowed, and potential returns. Pay tables must be easily accessible to players. For example, on physical slot machines, the pay table is usually on a glass panel or video screen on the machine itself. For table games, the payout odds are usually displayed on the table’s felt portion.
Source code review
An ITL will examine the source code of games. Source code refers to the actual programming code that drives a game’s logic and functionality. In addition to RNGs, ITLs will confirm that the code correctly implements all of the game’s pre-defined rules and odds.
Security and anti-tampering measures
An ITL will examine a game’s security system. An examination includes verifying that only authorized users can access sensitive information, data is appropriately encrypted, and there is appropriate network security. In addition, ITLs will ensure that all games have the requisite anti-tampering systems in place. ITLs ensure adequate physical measures, such as screws and adhesives, tamper detection devices such as physical and environmental sensors, the system’s ability to react when a tampering attempt is detected, such as automatic shutoffs, and features that provide proof that tampering has occurred such as seals or coatings that visibly change once breached.
3.2 Ensure methods for secure data transmission
The FTC Safeguards Rule requires nonbanking financial institutions to maintain safeguards to protect the security of customer information. The Rule defines customer information as “any record containing non-public personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” The Rule requires covered entities to develop a written information security program that is appropriate to the size and complexity of the business. Section 314.4 of the Rule lists nine elements that the information security program must include.
Failure to properly protect personal information can result in data breaches that can lead in turn to identity theft, financial fraud, and money laundering. Data breaches can result in severe penalties and can lead to financial loss for the operator in the form of class-action lawsuits and fines.
3.2.1 Types of transmitted data that need encryption
Personally identifiable information
Gaming operators have access to a player’s highly sensitive personal information that is transmitted over the internet or to other entities. All personally identifiable information (PII) such as Social Security numbers, passwords, financial data, including credit/debit card and bank information need to be encrypted. For online gambling platforms, PII includes player location and device data.
Game outcomes and RNG seeds
For online gambling, an operator must also encrypt the game outcomes and RNG seed values to prevent unauthorized access.
3.2.2 Types of stored data that require encryption
Stored data is also subject to encryption requirements to prevent unauthorized access. Types of stored data that require encryptions are player profiles and anti-money laundering data.
Player profiles
In addition to PII that is transmitted, any PII that is stored on a server, such as a player profile must also be encrypted. Player profiles can also include transaction records and self-exclusion logs (a request by an individual to be excluded from access to gaming) that contain information such as dates of birth, contact information, and photographs. A self-exclusion log contains particularly sensitive information because it contains information concerning individuals who may suffer from a gambling addiction.
Anti-money laundering (AML) data
Since casinos are treated as financial institutions under the Bank Secrecy Act, they must keep extensive records on customers. That data must be stored for five years. The Financial Crimes Enforcement Network (FinCEN) requires that records obtained on computers or other media must be secure and readily accessible. Encryption is the standard method for ensuring that the stored data is secure.
For further information on Bank Secrecy Act compliance, see How-to guide: How to monitor Bank Secrecy Act (BSA) compliance.
Step 4 – Player verification and interactions
4.1 Implement player verification procedures
4.1.1 Age-verification
Each state has its own legal gambling age, so it is important to ensure proper age-verification protocols. Operators must confirm a customer’s age, by collecting their name, date of birth, and Social Security number. Most states in the United States require individuals to be at least 21 years old in order to gamble online. However, a small number of states allow 18-year-olds to participate in online sports betting.
4.1.2 Customer due diligence
In addition to age verification, gaming operators must collect a customer’s personal information, such as name, date of birth, and government-issued identification as part of the customer due diligence (CDD) process as part of mandatory anti-money laundering (AML) compliance requirements.
4.1.3 Screen for politically exposed persons and watchlists
After gathering customer’s personal information through the CDD process, the data is compared against multiple global databases that include politically exposed persons (PEPs) lists from global governments and sanctions lists, such as those from the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) . If a PEP is found, a casino must perform enhanced due diligence (EDD), which involves gathering more information regarding the customer including the source of funds and connections to illegal activities.
4.1.4 Geolocation and device validation
Geolocation ensures players are physically in a legally authorized area, and can be a useful tool when ensuring appropriate data security. For example, geolocation could detect potential threats if a single account logs in from multiple different physical locations in a short amount of time. Device validation creates a unique profile of a user’s device. The unique profile of each device can trigger alerts if unusual activity is detected, and can block potential tampering or account takeovers before data is compromised.
4.2 Implement responsible gaming measures
4.2.1 Responsible gambling measures
State regulatory bodies require that operators have responsible gaming measures in place prior to issuing a license. The measures are also required to maintain ongoing compliance with state-level gambling regulations. A brief summary of typically required responsible gaming measures is below.
4.2.2 Player protection
Casinos must have player protection tools in place. Such tools can include self-exclusion programs, deposit and loss limits, and time/session limits. In addition, operators must have Know Your Customer (KYC) procedures in place. KYC procedures are necessary to verify player identity to protect minors and prevent fraud. Operators that provide online gambling must perform identity checks before a user can open an account, deposit funds, or place bets. Generally, the information collected is the customer’s full name, date of birth, residential address, email, phone number, and Social Security number. Some states, such as Pennsylvania and New Jersey require multi-factor authentication for online gambling. This authentication helps enhance security and prevent fraud and proxy betting.
4.2.3 Responsible advertising
Most jurisdictions require that gambling operators engage in responsible advertising (ie, advertising that does not target young people or vulnerable adults). Advertisements may also be required to display warnings about the risks of gambling addiction and provide contact information for addiction resources.
4.2.4 Prohibitions on certain payment methods
A number of states – Illinois, Iowa, Massachusetts, and Tennessee – have banned players from using credit cards for online betting or gaming. In those states, players must either establish an online account with the operator to play or use their debit card to pay. Some major online gaming operators, such as, DraftKings, a popular online sports betting platform, have adopted voluntary bans on credit card payments.
Step 5 – Anti-money laundering (AML) and fraud prevention
5.1 Appoint a Bank Secrecy Act (BSA) compliance officer
Casinos are treated as financial institutions under the Bank Secrecy Act (BSA). As a result, casinos must develop and implement written anti-money laundering (AML) programs. Under the BSA, an AML program must have:
- a system of internal controls reasonably designed to prevent money laundering and assure compliance with the BSA;
- internal or external testing for compliance with a scope and frequency commensurate with the risks of money laundering and terrorist financing and products and services provided;
- training of casino personnel;
- designation of an individual or individuals responsible for day-to-day compliance with the BSA and the program; and
- procedures for using all available information to determine the name, address, Social Security number, and other information, and verification, of a person when required, and to determine the occurrence of any transactions or patterns of transactions required to be reported as suspicious; and
- for casinos that have computer systems, automated programs to aid in assuring compliance.
The board of directors must designate a qualified individual to serve as the BSA compliance officer. That individual is responsible for coordinating and monitoring day-to-day compliance with the BSA. The compliance officer should be competent to perform their duties and should have sufficient knowledge of the BSA and related regulations, and be independent.
For more information, see How-to guide: How to appoint a Bank Secrecy Act (BSA) compliance officer.
5.2 Ensure compliance with applicable federal AML laws
Additional federal AML laws apply to gambling operations.
5.2.1 Patriot Act
Passed after the September 11, 2001 terrorist attack in the United States, the USA PATRIOT Act strengthened and expanded the BSA to combat money laundering and terrorist financing through financial institutions, including casinos. Casinos with annual gaming revenue over $1 million are required to have an anti-money laundering (AML) program, customer identification programs (CIP), file suspicious activity reports (SARs), file currency transaction reports (CTRs), and maintain strict record-keeping protocols.
5.2.2 Unlawful Internet Gambling Enforcement Act of 2006
The Unlawful Internet Gambling Enforcement Act (UIGEA) of 2006 regulates online gambling. The UIGEA does not explicitly prohibit online gambling, but it does ban gambling businesses from knowingly accepting payments in connection with unlawful internet gambling.
While the UIGEA creates standards for financial institutions, it still relies on state laws to determine what qualifies as “unlawful” internet gambling.
Step 6 – Ongoing compliance
6.1 Establish recordkeeping policies
Casinos are subject to multiple recordkeeping requirements from both federal and state laws. Some of the documents that must be retained are:
- Federal records – under the BSA and FinCen requirements, casinos must keep currency transaction reports, SARs, monetary instrument logs, customer identification records, Know Your Customer documentation, and AML program records. The retention period is five years.
- State records – most states require casinos to keep gaming and accounting records, patron dispute records, employee licensing, surveillance recordings, and self-exclusion program records.
- General business records – in addition to gambling specific records, gambling operators must keep general business records such as payroll and human resource records, tax returns, contracts, and other financial documents.
The exact requirements and retention periods vary by state jurisdiction. Due to the numerous documents that must be retained and the varying time frames, it is essential to create an inventory of all records the company uses, develop a retention schedule, develop operational procedures that provide guidelines on how records are created and captured, and to ensure that there is adequate secure storage for required records. Secure storage requires access controls and should also include plans for destruction and disposal and backups for digital records.
6.2 Establish a system to track all filing and reporting deadlines
Tracking the numerous filing and reporting deadlines for gambling operations is vital for regulatory compliance. Such a system should include a centralized calendar that sets out all relevant federal, state, and local deadlines, including gaming license and registration renewals, tax payments, reporting requirements, and required AML reports.
6.3 Ongoing preparedness for audits/inspections
To be prepared for audits and inspections, a gambling operator should maintain well-organized records and implement internal controls that are in compliance with regulatory requirements. Conducting regular internal audits can help identify any potential issues and ensure preparedness for external audits. Gambling operators should ensure that all employees receive regular and ongoing training regarding compliance obligations and security procedures. Establishing a compliance team whose sole purpose is to monitor updates in regulations and conduct reviews and internal audits is highly recommended.
Additional resources
American Gaming Association, Responsible Gaming Regulations and Statutes Guide
US Financial Crimes Enforcement Network, Frequently Asked Questions Casino Recordkeeping, Reporting, and Compliance Program Requirements
Related Lexology Pro content
Quick views:
The regulation of remote gambling
Tribal gaming versus non-tribal gaming
How-to guides:
How to identify suspicious activity and make a Suspicious Activity Report (SAR) (USA)
How to monitor Bank Secrecy Act (BSA) compliance (USA)
How to appoint a Bank Secrecy Act (BSA) compliance officer (USA)
Checklists:
Currency transaction reporting requirements (USA)
How to identify suspicious activity and make a Suspicious Activity Report (SAR) (USA)
Initial response to a report of suspicious activity (USA)
Global research hub:
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.