Casino Enterprise Management

Casinos are some of the most highly regulated enterprises within the business world. As stated in the National Gambling Impact Study Commission Report, they are considered to be a different type of business, requiring closer governmental oversight. According to the Commission Report, this is mostly due to risks that present themselves uniquely together in the casino industry. These risks are unfair games, crime and the impact on society. Aside from the regulations that impact these risks, such as the Bank Secrecy Act and jurisdictional minimum internal control standards, the casino industry has to comply with other industry regulations. Many of these regulations tend to have overlapping requirements in the disguise of a different regulation. These regulations include liquor control, food safety, employee safety (OSHA), patron privacy, payment card industry data security standards, employee health privacy (HIPAA), Office of Foreign Assets Control (OFAC), financial reporting requirements of the Securities Exchange Commission (SEC) (Sarbanes Oxley), compliance requirements of the Federal Sentencing Guidelines, and fair labor standards.

Compliance is expensive, and non-compliance is not a viable operating strategy. Historically, the various casino regulators have made it clear that compliance needs to be a priority. A jurisdiction may not allow a casino enterprise to open if it has not sufficiently met the regulatory requirements. Existing casino enterprises can be closed or penalized heavily for non-compliance. For example, in November 2006, the Financial Crimes Enforcement Network (FinCEN) of the United States Treasury assessed penalties of $1 million to the Tonkawa Tribe, who operated a casino on their reservation, for failing to comply with the Bank Secrecy Act. Furthermore, some regulations, like the Bank Secrecy Act, may hold individual employees of the casino personally liable for non-compliance. In 2006, FinCEN also assessed a $1.5 million penalty to the general manager of the casino operating on the Tonkawa tribe’s reservation, Edward E. Street. Often, these stories of casino non-compliance are newsworthy and tarnish the brand name of a casino.

Considering the quantity, scope and complexity of regulations faced by this industry, it is safe to say that each casino enterprise is challenged with providing efficient and effective compliance. Furthermore, this compliance effort can have a significant impact on the business, as nearly all aspects of the business are subject to at least one regulation. Although compliance is a cost of doing business, it is possible that efficient compliance can be a competitive advantage within the industry, as resources can be better deployed toward profit-generating activities.
This article will provide a road map for an efficient and effective approach to managing a compliance process within the casino industry. Although the focus of the approach will assume that you will be starting up a new casino, such an approach is applicable to any compliance environment.

Compliance Program
The keys to establishing an effective and efficient compliance program are 1) to diligently and continuously follow the steps of the compliance program; and 2) to always focus on simplifying and clarifying your compliance program. Remember that the goal of compliance is to focus and direct the activities of a large and varied population of employees across different departments. It is like trying to conduct an orchestra with music students of varied ability. The goal of this performance, however, is not to play the most beautiful music. Instead, it is to play the right song perfectly each time. To accomplish this with the most efficiency, one must make sure that the song is very simple and that the instruments are easy to play.

The process for managing regulatory requirements is called a compliance program. A compliance program is a repeatable grouping of processes that live and breathe throughout the life of the casino enterprise. Although each step remains the same, the program will change in lock step with changes in regulations and operating structure. A compliance program can be depicted as a modified version of the Deming Cycle (Deming, 1982). (See Figure 1.) The components of a compliance program would line up with the cycle as such:

Plan: Identify new or changed regulations, understand the regulations, assign accountability and design procedures to address risks.
Do: Train employees and execute compliance procedures.
Check: Monitor compliance with procedures and training requirements.
Act: Adjust procedures and escalate compliance issues.

Plan
Identify Regulations
Identifying regulations can be a bit more difficult than you might expect. The bad news is that not one list of all requirements exists. In fact, the specific requirements of a regulation are often very difficult to identify. The good news is that in the early stages of opening a property, the jurisdictional regulators will make it very clear what you need to do in order to open. At worse, they will provide you with documented requirements. Finding and identifying all the other regulations will be a bit difficult. It is best in these cases to start leveraging the professional services companies you may have on retainer, such as accountants and lawyers. They frequently know exactly what is going on in the regulatory world since they profit from providing you advice and/or assistance.

Understand the Implications
Once you have identified the applicable regulations, your next challenge is to understand what they mean and how they apply to your casino. Understanding regulations is not easy. In all cases, you will likely find the requirements are subject to some interpretation. The best strategy is to leverage all resources to understand what is required. Your best allies in this case will be the regulators, other casinos or companies with similar regulations in other industries, and professional service providers familiar with the industry such as accountants and lawyers.

Assign Accountability
With an understanding of the regulations, you are ready to determine ownership. Some regulations have a documented requirement for a committee or officer. Whatever the case may be, each compliance program will require executive-level support. This person or committee must have the understanding and authority to address compliance issues presented, regardless of the responsible department or employee. Compliance programs also need formal legal support, whether a representative from the department or the officer is on the committee. All accountability should be documented in a formation memorandum or a charter, which clearly outlines the responsibility and authority of the officer and/or committee.

Develop Procedures
The great majority of the resources required for a compliance program are invested in developing and executing procedures. Your ability to develop an efficient and effective program is greatly dependent on how you execute this step. Developing procedures is best done with the following steps:

1. Identify requirements: Prior to this step, you have identified and understood all regulations and how they apply to your organization. In this step, you need to translate the regulations into business requirements and document these requirements in a list that includes the regulation section number and the description of the requirement.

For example, Title 31 of the Bank Secrecy Act section 1021.210(a)(2)(ii) states: “Internal and/or external independent testing for compliance. The scope and frequency of the testing shall be commensurate with the money laundering and terrorist financing risks posed by the products and services provided by the casino.” Many casinos have translated this regulation into a requirement of an annual audit of the casino’s Bank Secrecy Act program and organization compliance. In some instances, regulations are so specific that the regulation and requirement will be the same.

A critical step in identifying requirements is fitting the regulation to your specific business. The government understands that each business is different, which makes it difficult to write rules that apply specifically to each one. In order to address this challenge, management must assess the inherent risks specific to their business. This risk assessment process allows management to identify the applicability of each requirement to their business. In some cases, management can reasonably conclude that the requirement described in the regulation may or may not apply in the same way to your organization. It is important to understand that policymakers are always balancing the intent of the regulation and its financial burden. If compliance with the law is too expensive, the regulated industry or company will become uncompetitive, causing unintended consequences to the business, customers, employees and other stakeholders. As a point of reference, FinCEN provided a very clear example of this. On June 20, 2010, FinCEN issued guidance in FIN-2010-G003 on criteria for assessing a Bank Secrecy Act compliance program. By using this guidance, companies can adjust their level of internal controls to better address the anti-money laundering risks specific to their business.

2. Document internal controls: Once you have identified and listed all requirements, you will try to match these requirements to existing internal controls. Using the same internal control to address multiple requirements across multiple regulations is the easiest way to build simplicity and efficiency into your compliance program. Many companies make the mistake of responding to different compliance programs as individual efforts, causing redundancy and unnecessary complexity.

In the example above, for the Bank Secrecy Act, you could map the annual audit requirement to an internal control by Internal Audit provide an annual assessment and report the results to the compliance officer and audit committee. In other instances, you will find that the regulation is so specific that it explicitly states the required internal control.

3. Evaluate gaps and overlap: Once all existing internal controls are mapped to regulatory requirements, you need to perform two analytical steps. First, you need to identify any instances where a requirement is not mapped to an internal control. This type of non-compliance evidences that the casino operation is not currently performing any procedures intended to address this requirement. Procedures must be designed and implemented within the appropriate departments to address the non-compliance.

Second, you need to identify all instances where multiple requirements are mapped to the same controls. As mentioned, eliminating these overlapping controls is a source of efficiency. In this case, with greater efficiency comes greater responsibility. All overlapping controls should be further evaluated to determine if the performance of the control meets the exact nature of each requirement. If not, the control must be adjusted to satisfy the requirement of the strictest regulation.

The result of this process will be a matrix detailing all internal controls that satisfy a regulatory requirement. Many controls will map to multiple requirements. As business processes and regulations change, this map will allow you to understand and communicate the impact on your compliance programs. Most notably, you can quickly assess whether a business process change will cause a regulatory violation.

Do
Train
With the completion of the planning phase, you should have a focused vision of which departments need what type of training. Many regulations define the training requirements. At the least, expect a regiment of new hire and annual trainings for certain regulations. Where it is not required in a regulation, you will likely need to keep the compliance officers or committees trained in the various regulatory changes.

Execute Procedures
This step refers to the daily tasks performed by employees within operating departments. Compliance requirements need to be embedded in their daily job functions. In an effective compliance program, these tasks become routine and expected functions of the position. A good practice is to make certain that key tasks or functions are included in job descriptions and described in departmental procedures.

Check
Monitor Compliance with Training and Procedures
Regular feedback is necessary to ensure that your compliance program is operating as intended. At a minimum, feedback should be focused on employee training and procedural compliance. Any weakness in these areas will result in current or future non-compliance. The best method of feedback is a balance of auditing and reporting. Regular audits performed by skilled, independent and objective auditors are a strong foundation for any monitoring program. Auditors are trained to look where you may not, and will bring issues to the surface that may normally go unidentified.

Developing and reviewing certain reports will provide a more frequent snapshot of program performance. Depending on the compliance program, reporting should be used in varying degrees. Some compliance programs, such as the Bank Secrecy Act, lend themselves to being monitored analytically. Others, such as HIPAA, do not. At a minimum, program owners should be reviewing a regular report that captures individuals who have not met their training requirements.
   
Act
Adjust Procedures
Once you have identified weaknesses, it is important to put that information to good use. In many situations, you may discover that the procedure being performed by the business is not sufficient to address the regulatory requirement. In these instances, the procedures must be adjusted and all changes implemented. In other situations, you may discover that the procedure is designed perfectly, but it is being executed imperfectly, or not at all. In these cases, reinforcement of the procedure’s importance is required. Close monitoring should follow to ensure implementation of any changes.

Escalate Issues
Not every situation can be addressed procedurally. Incidents arise where employees or departmental leaders are in a state of willful or longstanding non-compliance. There are many reasons for this to occur. The only solution is to escalate to the responsible officer or committee so that compliance can be restored in a short period of time. Implementing an anonymous employee hotline and a non-retaliation policy is a good way to address the possibility of these challenges and demonstrate the sincerity of compliance to management and regulators.

Conclusion­
An ineffective approach to compliance in the casino industry can be very costly. Utilizing the practical and systematic framework described above can increase the effectiveness and efficiency of an existing program, resulting in a competitive advantage. Designing this program to exist in the continuous improvement framework of the Deming Cycle will ensure that the effectiveness and efficiency of the program will always be guided toward an optimal state. A best-in-class compliance program may not sound like a symphony; however, the silence of regulators can be sweet music in the ears of a casino operator.


Bryant Richards, CMA, CIA is the Director of Corporate Governance for the Mohegan Tribe. He is also a Visiting Professor and Hospitality Program Chair at Nichols College in Dudley, Mass. Bryant can be reached at brichards[at]moheganmail.com.