Compliance Guide to Small Entities
Regulation GG: Prohibition on Funding of Unlawful Internet Gambling
12 CFR 233
What does the Unlawful Internet Gambling Enforcement Act require?
The Unlawful Internet Gambling Enforcement Act of 2006 ("UIGEA") prohibits any person, including a business, engaged in the business of betting or wagering from knowingly accepting payments in connection with the participation of another person in unlawful Internet gambling.2 Such transactions are termed "restricted transactions." UIGEA requires the Secretary of the Treasury and the Board of Governors of the Federal Reserve System (collectively, the "Agencies"), in consultation with the U.S. Department of Justice, to designate payment systems that could be used in connection with or to facilitate restricted transactions. Such a designation makes the payment system, and financial transaction providers participating in the system, subject to the requirements of the rule.
UIGEA also requires the Agencies, in consultation with the U.S. Department of Justice, to issue a rule requiring designated payment systems and financial transaction providers participating in each designated payment system to establish policies and procedures reasonably designed to identify and block, or otherwise prevent or prohibit, restricted transactions. The rule must identify types of policies and procedures that would be deemed to be reasonably designed to achieve this objective, including non-exclusive examples. UIGEA also requires the Agencies to exempt certain restricted transactions or designated payment systems from any requirement imposed by the rule if the Agencies jointly determine that it is not reasonably practical to identify and block, or otherwise prevent or prohibit the acceptance of, such transactions.
The rule implements these requirements.3
Is your business subject to the rule?
As required by UIGEA, the rule designates five payment systems that could be used to facilitate payments in connection with unlawful Internet gambling.4 The rule also exempts many participants in transactions in those payment systems.5 If, however, your business performs one of the following functions, your business is covered by the rule and should comply with the rule's requirements:
The operator (i.e., the entity that provides centralized clearing and delivery services between participants and maintains the operational framework for the system)6 of a money transmitting business that
- Engages in the transmission of funds (not including check cashing, currency exchange, or the issuance or redemption of money orders); and
- Permits customers to initiate transmission of funds transactions remotely from a location other than the physical office of the money transmitting business.7
- The depositary bank in a check transaction.
- The beneficiary's bank in a wire transfer.
- The receiving depository financial institution (RDFI) in an ACH credit transaction, the originating depository financial institution (ODFI) in an ACH debit transaction, the gateway operator for a cross-border ACH debit transaction, and a third-party processor for any of these.8
- The system operator, merchant acquirer, third-party processor, or card issuer in a card system (including credit cards, debit cards, pre-paid cards, and stored value cards).
If your business is covered by the rule, what is required?
You must establish and implement written policies and procedures that are reasonably designed to identify and block or otherwise prevent or prohibit payments related to unlawful Internet gambling that are restricted by UIGEA and are processed through your facilities.
Section 6 of the rule provides examples of policies and procedures for each designated payment system that would comply with the rule because they are reasonably designed to prevent restricted transactions. The examples are non-exclusive. You are permitted to design and implement policies and procedures tailored to your business that may be different than the examples provided in section 6. In addition, you may use different policies and procedures with respect to different business lines or different parts of your business.
The examples of policies and procedures for designated payment systems other than card systems focus primarily on a due diligence process when establishing a commercial customer relationship. For purposes of the rule, a "commercial customer" is a customer that is not a natural person (i.e., a customer that is a business such as a corporation or partnership). This would be the core policy and procedure to prevent or prohibit restricted transactions. You could conduct due diligence in account-opening procedures designed to ensure that the commercial customer does not originate or receive restricted transactions through the customer relationship. The examples focus on your business relationship with commercial customers only and do not contemplate that a participant would take any particular action regarding individual consumer accounts.
In addition to due diligence at account opening, the examples in section 6 suggest that you communicate to your commercial customers that restricted transactions are prohibited. You could notify all of your commercial customers that restricted transactions are prohibited, by adding a term in the commercial customer agreement, by sending a simple notice to your commercial customers, or by some other method. In the examples in section 6, your procedures would also include procedures to be followed in case you have "actual knowledge" (for example, if you receive information from government officials) that a commercial customer has received restricted transactions through your payment facilities. The procedures could cover, for example, the circumstances under which the commercial customer would not be allowed to initiate or receive further payment transactions through your payment facilities or the circumstances under which you would close the commercial customer's account.
If you are a depository institution that participates in ACH, check, and wire-transfer systems, you will be able to establish and implement the same due diligence policies and procedures for commercial customers across all three of those systems for purposes of the rule. You will not need to establish and implement separate policies and procedures for each of these designated payment systems.
Because the rule's due diligence examples only apply to commercial customers, if you have few or no commercial customer accounts, the rule is likely to present relatively minimal implementation burden for you.
What due diligence is sufficient for participants in designated payment systems other than card systems?
There may be several ways to meet the rule's requirement to have reasonably designed policies and procedures and section 6 of the rule suggests some possible choices. With respect to due diligence, the Agencies expect that you could use a flexible, risk-based approach in your due diligence procedures so that the level of due diligence you perform will match the level of risk posed by your commercial customer. Section 6(b) of the rule sets out specific procedures that you could follow to conduct adequate due diligence of your business's commercial customers in order to assess the risk they present of unlawful Internet gambling.
The most efficient way for you to implement the due diligence procedures may be to incorporate them into your existing account-opening procedures (such as those required of depository institutions under Federal banking agencies' Bank Secrecy Act (BSA) compliance program requirements).9 Specifically, you should have a basic understanding of a new commercial customer's business, based on normal account-opening procedures. If, based on your initial due diligence, you determine that your prospective commercial customer presents only a minimal risk of engaging in an Internet gambling business, you do not need to take further action under the rule before opening the account.
If a commercial customer's description of its business or other factors cause you to suspect that the customer may present more than a minimal risk of engaging in an Internet gambling business (for example, the commercial customer offers games or contests over the Internet), you should ask for further documentation from the commercial customer. A certification from the commercial customer that it does not engage in an Internet gambling business would address factual questions regarding the commercial customer's business.
Alternatively, if the commercial customer engages in an Internet gambling business, the commercial customer should provide further documentation to show that the Internet gambling business is lawful, such as a license issued by a U.S. State or Tribal authority that authorizes the commercial customer to engage in an Internet gambling business. If you have questions regarding the permissibility of a commercial customer's activities, you should consult with (or have the commercial customer obtain confirmation from) the applicable licensing authority. If the commercial customer does not have an Internet gambling license, you should obtain from the commercial customer a reasoned legal opinion from the commercial customer's legal counsel that demonstrates that the commercial customer's Internet gambling business does not involve transactions that are prohibited by UIGEA. You may want to consult your own lawyer if this occurs.
In addition, the commercial customer should provide you with a third-party certification regarding the commercial customer's automated systems. Specifically, the certification should confirm that the customer's automated systems for engaging in the Internet gambling business are reasonably designed to ensure that the commercial customer's Internet gambling business will remain within the licensed or otherwise lawful limits, including with respect to gambler age and location verification. This is to ensure that the Internet gambling business will prohibit minors from accessing the gambling business and that the gambler is located in a state where the gambling activity is permitted by applicable law.
If you are a depository institution and have commercial customers that are money transmitting businesses or third-party processors, you should apply your due diligence procedures, as described above, to those entities.10 You are not responsible, however, for conducting due diligence on the customers of the money transmitting business or third-party processor. In turn, if you are the operator of a money transmitting business or third-party processor, you are responsible for establishing and implementing your own UIGEA policies and procedures with respect to your own commercial customers.
The due diligence approach suggested in section 6 and discussed above is one approach to complying with UIGEA's requirements for establishing reasonably designed policies and procedures. As noted above, you are permitted to design and implement policies and procedures tailored to your business that may be different than the examples provided in section 6, so long as they comply with the requirements of UIGEA and the rule.
What are reasonably designed procedures with respect to card systems?
Card systems (including credit cards, debit cards, pre-paid cards, and stored value cards) are the only designated payment systems that use a merchant and transaction coding framework that permits participants to identify and block, during processing, transactions with indicia of being restricted transactions. The Agencies expect that a coding system to identify and block restricted transactions will be the method of choice for the vast majority of card system participants to comply with the rule.11
The rule's examples contemplate that the operator of a card system would establish and implement a code system, such as transaction codes and merchant/business category codes, that are required to accompany a transaction authorization and permit the card-issuing bank to identify and deny authorization for a transaction that the coding procedure indicates may be a restricted transaction (i.e., a gambling merchant/business code coupled with a "card not present" transaction code).
UIGEA permits a participant in a designated payment system to comply with UIGEA's requirements by relying on and complying with the policies and procedures of the designated payment system if the system's policies and procedures comply with the requirements of the rule. The rule also states that if you are a participant in a designated payment system (such as a card system), you may rely on a written statement or notice by the operator of that designated payment system that states that the operator has designed or structured the system's policies and procedures for identifying and blocking or otherwise preventing or prohibiting restricted transactions to comply with the requirements of the rule as conclusive evidence that the system's policies and procedures comply with the requirements of the rule, unless otherwise notified by your Federal functional regulator (as listed below).
Accordingly, if you are a depository institution and participate in a card system, you should be able to rely on the policies and procedures established by the operator of the card system when developing your own compliance procedure. In determining those card transactions for which you will deny authorization, you could rely on (and comply with) the merchant and transaction coding of the card system to determine which transactions may be restricted transactions.
Again, you may design and implement policies and procedures tailored to your business that may be different than the examples provided in section 6.
Do you have any legal protection from liability for refusing to honor transactions that you suspect are restricted transactions?
UIGEA provides that, if you identify and block a transaction or otherwise refuse to honor a transaction, you will not be liable to any party for such action if
- The transaction is a restricted transaction;
- You reasonably believed the transaction to be a restricted transaction; or
- You blocked or otherwise prevented the transaction in reliance on the policies and procedures of the designated payment system in an effort to comply with the rule.
Does the rule mandate a change in the circumstances or procedures for submitting suspicious activity reports (SARs)?
No, nothing in the rule modifies any requirement imposed on you by other applicable law or regulation to file a SAR with the appropriate authorities.
Who should you contact if you have further questions?
The requirements of this rule will be exclusively enforced by your Federal functional regulator. For example, the National Credit Union Administration will be responsible for enforcing the rule with respect to federally insured credit unions, the Office of Thrift Supervision will be responsible with respect to federal thrifts, the Office of Comptroller of the Currency will be responsible with respect to national banks, the Federal Reserve Board will be responsible with respect to State member banks, and the Federal Deposit Insurance Corporation will be responsible with respect to State nonmember banks. The Securities and Exchange Commission and Commodity Futures Trading Commission will be responsible for regulatory enforcement for their respective institutions that are non-exempt participants in designated payment systems. The Federal Trade Commission will be responsible for enforcement with respect to most non-exempt money transmitting businesses and other non-exempt participants not covered by the above regulators. Questions with respect to implementation of the rule should be addressed to your Federal functional regulator.
1. This guide was prepared by the staffs of the Board of Governors of the Federal Reserve System and the Departmental Offices of the Department of the Treasury as a "small entity compliance guide" under Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996, as amended (5 U.S.C. § 601 note). The guide summarizes and explains the joint rule adopted by the Board and the Treasury, but is not a substitute for the rule itself. Only the rule itself can provide complete and definitive information regarding its requirements. Return to text
3. The rule implementing UIGEA was promulgated jointly by the Department of the Treasury and the Board of Governors of the Federal Reserve System. Identical sets of the rule are published in the Code of Federal Regulations by the Board of Governors at title 12, Part 233 (12 CFR Part 233) and by the Department of the Treasury at title 31, Part 132 (31 CFR 132). Return to text
6. This means that the "send" agents of money transmitting businesses that receive funds for transmission and forward the payment instructions to the system operator are not subject to the rule. Return to text
7. This means that a money transmitting business is not subject to the rule if it only offers money transmitting services to customers that physically appear at an office of the money transmitting business to arrange and pay for the transfer of funds and it does not provide money transmitting services over the Internet or telephone. Return to text
8. With respect to the ACH system, the rule defines a "third-party processor" as a service provider that (1) in the case of an ACH debit entry, has a direct relationship with the commercial customer that is initiating the debit entry and acts as an intermediary between the commercial customer and the first depository institution to handle the entry; (2) in the case of an ACH credit entry, has a direct relationship with the commercial customer that is to receive the proceeds of the credit entry and acts as an intermediary between the commercial customer and the last depository institution to handle the entry; and (3) in the case of a cross-border ACH debit entry, is the first service provider located within the United States to receive the ACH debit instruction. Return to text
9. It is important to note, however, that the rule implementing UIGEA is separate from BSA regulations, and due diligence for purposes of the UIGEA rule differs significantly from BSA due diligence. Return to text
10. For example, you may be able to determine that the customer presents a minimal risk of engaging in an Internet gambling business. If not, you may choose to obtain a certification from the customer that it does not engage in an Internet gambling business. As with all of your commercial customers, you would also need to provide notice to the customer that restricted transactions are prohibited from being processed through its accounts with you. Return to text