This page contains a Flash digital edition of a book.
to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” “Establishing a robust Red Flags Rule program can help casinos secure their

customers’ information,” says Dowling, “and mitigate potential federal and state regulatory sanctions, as well as civil liability.” According to the regulations, a program must be appropriate to the size and

complexity of the business operation and must include reasonable policies and pro- cedures to: • identify relevant red flags (pattern, practice or specific activity that indicates

the possible existence of identity theft), and incorporate those red flags into the program; • detect red flags that have been incorporated into the program; • respond appropriately to any red flags that are detected to prevent and miti-

gate identify theft; and • ensure the program is updated periodically to reflect changes in risks to cus-

tomers. The categories of identity theft-related “red flags” that a subject business

should be cognizant of include, but are not limited to: • alerts, notifications or other warnings received from consumer reporting

agencies (such as a fraud alert, notice of credit freeze or address discrepancy includ- ed in a consumer credit report); • presentation of suspicious documents from a patron (including documents

that have been forged or altered, or if the photograph on an identification docu- ment is not consistent with the patron’s appearance); • presentation of suspicious identifying information (e.g. suspicious address

change, a Social Security number that had not been issued, or is outside the corre- sponding date-of-birth range, fictitious phone number); • unusual use of, or suspicious activity related to, a covered account (activity

on the account not consistent with past record of use, material increase in available credit line, mail to patron returned “undeliverable” although transactions continue to be conducted from the account); and • notice from patrons, identity theft victims, law enforcement or other persons

regarding possible identity theft. In addition to the development and implementation of the program, Red

Flags Rule compliance also requires the periodic performance of a “risk assessment” to determine whether the business offers or maintains any other accounts for which there are reasonably foreseeable risks to customers or to the business from identity theft. In conducting this periodic risk assessment, a business must take into account:

(i) the methods it provides to open its accounts, (ii) the methods it provides to access its accounts, and (iii) its previous experiences with identity theft. Veloro also emphasizes that “a written program demonstrates that the casino

has given the topic thoughtful analysis, meeting the requirements of federal law.” Dowling notes that “as with all compliance programs, the first step to estab- lishing an effective program is to prepare a risk assessment.”


A casino which is subject to the Red Flags Rule must craft a compliance program that will comfortably fit within and further complement its overall gaming regula- tory compliance procedures. This process will include drafting internal controls, assembling departmental operating procedures and obtaining the necessary gaming



regulatory approvals of such changes. Also, a casino should designate an appropriate individual or committee to

oversee the Red Flags Rule compliance program. For purposes of efficiency, and also to draw on existing institutional compliance knowledge, these oversight duties can be delegated to the existing compliance officer. However, a different designated employee, the board of directors, or a committee of the board can also be charged with Red Flags Rule compliance. Those charged with administering the compliance program should report, at

least annually, to the casino’s board of directors, a committee of the board or a designated member of senior management on Red Flags Rule compliance. Current employee training to ensure compliance with Title 31/Bank Secrecy

Act provisions, the mandates of the Office of Financial Assets Control and other gaming regulatory requirements should be expanded to include proper implemen- tation, administration and monitoring of the Red Flags Rule compliance pro- gram. Current internal and external audits of the compliance programs should also be expanded to include auditing of the identity theft prevention program. Finally, the Red Flags Rule compliance program should also be periodically

reviewed and revised to stay current for developments in the gaming industry, as well as to take into account identity theft instances experienced by the casino. Notably, Veloro also states, “It is our goal that our Red Flags Rule compliance

program will protect the casino against potential liability for penalties or for dam- ages that might result from identity theft.”


Red Flags Rule compliance should be an integral part of a casino’s overall compli- ance program. In addition to the gaming-related compliance concerns, the FTC is authorized to seek civil penalties and injunctive relief against subject businesses for regulatory violations. The current maximum civil penalty for non-compliance with the Red Flags Rule is $3,500 per violation. However, a more important rea- son for compliance is to provide a safe and secure wagering and entertainment environment. A sound identity theft prevention program assures your casino patrons that your property is doing its part to protect their identities.


For additional information concerning the FTC and its enforcement of the Red Flags Rule, visit Interested persons can also visit RMC Legal’s website ( and download a recent webinar presentation that discussed compliance issues related to the Bank Secrecy Act, the Office of Foreign Assets Control and the Red Flags Rule, as well as to register for a May 5 webinar titled, “You Think Your Casino is Compliant—Will an IRS Auditor Agree?”

David Waddell is an attorney and president of Regulatory Management Counselors, P.C. Waddell’s areas of practice include gaming law, Title 31 compliance, business, tax and municipal law. He also sits on the editorial board for the Gaming Law Review

and Global Gaming Business and has been listed in Best Lawyers in America for

gaming. He can be reached at 517-507-3859, or at

Douglas Minke is an attorney with Regulatory Management Counselors, P.C.Minke’s areas of practice include general business law, gaming supplier licensing, commercial litigation and creditors’ rights. You can reach Minke at 313-221-9380, or, or online at

Global Gaming Business • May 2010 Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56
Produced with Yudu -