OCC Handbook Update Consolidates 13 Years of Evolving Financial Services Audit Policy and Guidance

Cory Gunderson MD NYCBy Michael Thor, Leader of Protiviti’s North American Internal Audit Practice
and
Cory Gunderson, Global Leader, Financial Services

 

 

On December 30, the federal Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2016-47, Revised Comptroller’s Handbook Booklet and Rescissions. The handbook is the official field guide for federal bank examiners. The update consolidates 13 years of policy changes and guidance to create a single source of truth for all audit-related supervisory matters going forward.

Further, the bulletin expands the definition of internal audit to include consultation and advisory services, and emphasizes the internal auditor’s role in risk assessment and assurance.

Although the handbook is primarily intended for bank examiners to guide their supervisory review, it is a public document, which gives financial institutions the opportunity to review requirements and remediate gaps prior to an examination. In that sense, it serves as an open-book test.

At 152 pages, the bulletin is heavy reading. We published a Flash Report last month, which offers a high-level summary. Highlighted changes include policy and guidance related to:

  • Additional focus on risk management and internal audit’s role in providing assurance that the system is in place and operating effectively
  • Clarification of risk-based auditing and the need for dynamic audit plans and risk assessments
  • Internal audit’s role in challenging management’s strategic decisions (effective challenge)
  • Audit committee composition and responsibilities
  • The chief auditor’s independence with respect to administrative reporting relationships
  • Continuous auditing
  • Talent management
  • Identification and reporting of the root cause of control deficiencies and thematic control issues
  • Non-internal audit assurance activities

The bulletin also highlights the need for increased governance and oversight by boards and audit committees and the need for more robust policies and procedures around internal audit methodologies, including risk assessment, execution and reporting.

Much of the featured guidance is sourced from OCC Bulletins, the OCC’s heightened standards for certain large banks (12 CFR, Part 30), and internal audit guidance issued by the Basel Committee on Banking Supervision (BCBS). Changes by standard-setting bodies (the American Institute of Certified Public Accountants, The Committee of Sponsoring Organizations of the Treadway Commission, and more), were also incorporated.

There shouldn’t be any shocks here. These are things financial institutions have been hearing from their examination teams for years. The bulletin just brings everything under one umbrella.

Nor should anyone look to the bulletin for implementation instruction. Any changes in the bulletin are principles-based.

Taken as a whole, OCC Bulletin 2016-47 paints a picture of the escalating expectations and responsibilities placed on internal and external auditors, particularly in the years since the 2008 financial collapse. All this has happened over a span of several years, and it’s easy to miss the full scope of change, which only becomes apparent when everything is pulled together under one umbrella.

Read the full Flash Report here.

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

A New and Better AML Regime?

Carol Beaumier

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

On February 16, 2017, The Clearing House (a banking association and payments company that is owned by twenty-five of the largest commercial banks) released a report entitled A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement. The report analyzes the current effectiveness of the U.S. anti-money laundering/counter-terrorism financing (AML/CFT) regime, identifies fundamental problems, and proposes a series of reforms to address them. It is the output of two closed-door sessions held in 2016 that were attended by sixty senior former and current officials from law enforcement, national security, bank regulation and domestic policy; leaders of prominent think tanks in the areas of economic policy, development, and national security; consultants and lawyers practicing in the field; fintech CEOs; and the heads of AML/CFT at multiple major financial institutions.

The report concludes, in effect, that the current U.S. AML/CFT Framework is based on an amalgam of sometimes-conflicting requirements and focuses more on process than outcomes, and that combatting money laundering and terrorist financing continues to be hindered by communication barriers between law enforcement and the financial services industry, and among financial institutions themselves.

What the report advocates in two sets of recommendations – those for immediate implementation and those for further study – is a complete overhaul of the existing regulatory and supervisory regime. Specifically, the report identifies seven reforms for immediate action:

  1. AML/CFT supervision should be rationalized by having the Financial Crimes Enforcement Network (FinCEN) reclaim sole supervisory responsibility for large, multinational financial institutions and by requiring the Department of Treasury, through its Office of Terrorism and Financial Intelligence (TFI), and FinCEN to establish a robust and inclusive annual process to establish AML/CFT priorities. The perceived benefits of these actions would be (a) greater focus on outcomes and the development of useful information to law enforcement, as opposed to the process-based approach taken by prudential supervisors, and (b) better alignment between law enforcement objectives and financial institutions’ AML/CFT programs.
  2. Congress should enact legislation, already pending in various forms, that prevents the establishment of anonymous companies and requires the reporting of beneficial owner information at the time of incorporation. Not to be confused with the FinCEN Customer Due Diligence (CDD) requirements that will obligate financial institutions, by May 2018, to collect beneficial ownership on legal entities, this recommendation is intended to require the collection of beneficial ownership at the time of company incorporation and whenever such information changes, and to make this information routinely available to FinCEN, law enforcement and financial institutions. This would shift the burden of gathering beneficial ownership information from the financial services industry to governmental bodies that incorporate these entities and, thus, free up financial services resources and allow them to spend more time on the detection of illicit activity.
  3. The Treasury TFI Office should strongly encourage innovation, and FinCEN should propose a safe harbor rule allowing financial institutions to innovate in a financial intelligence unit (FIU) “sandbox” without fear of examiner sanction. This would apply not only to large, multinational financial institutions that, through their direct collaboration with FinCEN, would presumably be leaders in innovation, but also to other financial institutions, which may have been reluctant to innovate for fear of their prudential regulators not being willing to accept new and different approaches.
  4. Policymakers should de-prioritize the investigation and reporting of activity of limited law enforcement or national security interest. This could be accomplished by raising the SAR reporting thresholds; eliminating SAR filings for insider abuse; and reviewing all existing SAR reporting guidance for relevancy (e.g., why should large financial institutions need to file SARs on cyberattacks when they typically engage in real-time communications with law enforcement when such attacks occur?). As with other recommendations, the impetus here is to free up resources to focus on what is really important.
  5. Policymakers should further facilitate the flow of raw data from financial institutions to law enforcement to assist with the modernization of the current AML/CFT technological paradigm. This would allow FinCEN to use big data analytics to identify illicit activity that cannot be detected by an individual financial institution.
  6. Regulatory or statutory changes should be made to the safe harbor provision in the USA PATRIOT Act (Section 314(b)) to further encourage information sharing among financial institutions, including the potential use of shared utilities to allow for more robust analysis of data. These changes should: (a) make it clear that information sharing extends to financial institutions’ attempts to identify suspicious activity and is not limited to sharing information about potential suspicious activity – e.g., information sharing might apply during the onboarding process when a financial institution may have questions about or find gaps in information provided by a prospective client; (b) broaden the safe harbor to other types of illicit activity beyond money laundering and terrorist financing; and (c) extend the safe harbor to technology companies and other nonfinancial services companies to allow for greater freedom to develop information-sharing platforms.
  7. Policymakers should enhance the legal certainty regarding the use and disclosure of SARs. The perceived benefits of allowing broader sharing of SAR information within a financial institution, including cross-border sharing, would be better transaction monitoring and higher quality SARs that provide more useful information for law enforcement.

Areas identified for additional study include:

  • Exploring the broader use of AML/CFT utilities to promote information sharing, and address barriers that hamper their use
  • Affording greater protection from discovery of SAR supporting materials
  • Balancing and clarifying the responsibilities of the public and private sectors for preventing financial crime
  • Establishing a procedure for “no action” letters whereby financial institutions could query FinCEN to determine how it would react to certain facts and circumstances
  • Providing the financial services industry with clearer standards of what constitutes an effective AML/CFT program
  • Improving coordination among the governmental players with a stake in combating money laundering and terrorist financing, and
  • Modernizing the SAR reporting regime to provide additional guidance on when to file or not file a SAR.

While there are pros and cons to be debated on many of the recommendations, the report, in summary, reveals the long-standing frustration of both the financial services industry and law enforcement with the current regime’s ineffectiveness. Financial institutions, with limited direction from the government, invest huge sums of money and dedicate large teams of people to “find the needle in the haystack” only to find their compliance efforts are often criticized by their regulators, even in the absence of actual wrongdoing. Law enforcement, for its part, tries to manage large volumes of information presented to it in the form of required reports from the financial services industry, much of which not very useful in identifying the real criminals and risks. The solution seems simple: communication and coordination. Effecting that solution will likely prove difficult, especially in the short term with a new administration that has already staked out an aggressive regulatory reform agenda. But, that doesn’t mean it’s not worth trying.

Regulatory Activity Unabated Despite Uncertain Regulatory Outlook

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk & Compliance

 

 

 

A month into the new U.S. administration, it’s clear that the political landscape is shifting. The administration has issued executive orders calling for a review of existing laws and regulations based on how they promote certain “core principles” related to the regulation of the U.S. financial system; a review of the Department of Labor’s Fiduciary Rule scheduled to take effect later in 2017; and an “implement one, repeal two” standard for the issuance of new regulations. Talk abounds about congressional actions aimed at actual or possible legislation, such as the TAILOR Act and the Financial CHOICE Act, which would affect the current regulatory structure as well.

The long-term ramifications of these actions for financial services regulation, supervision and enforcement are still unknown, and it may be some time before we have a clear view of what the future will look like. Meanwhile, financial institutions must still contend with the regulatory structure that exists today. Regulatory or self-regulatory agencies at the state, federal and even international levels are continuing to move forward with their existing supervisory and regulatory responsibilities. We address these in the February edition of Compliance Insights.

  • In the anti-money laundering (AML) space, we note that the Conference of State Bank Supervisors released a Bank Secrecy Act/AML Self-Assessment Tool to help financial institutions better manage money laundering risk. Risk assessments are top of mind for regulators, who consider logical, well-balanced and robust assessments the focal point of a sound risk management program. The self-assessment tool was issued not only to help provide transparency into how risks are assessed, monitored and communicated within an institution, but also to promote greater transparency among institutions to benefit the broader financial services industry.
  • Within the securities space, the Financial Industry Regulatory Authority (FINRA) published its Regulatory and Examination Priorities Letter for 2017, which identifies known and potential risks facing broker-dealers, investor relationship management and market operations. FINRA uses the annual priorities letter to communicate areas of focus for its information requests and examinations for the upcoming year. The 2017 letter highlights the “blocking and tackling” roles of compliance, supervision and risk management through FINRA’s focus on reviewing firms’ business models, internal control systems and client relationship management. Priorities identified for 2017 include: monitoring brokers with a history of disciplinary actions or complaints; sales practices; financial risk management and liquidity; operational risks; and market integrity.
  • Privacy concerns are atop the agenda for the European Commission (EC), which published the draft text of a proposed e-privacy regulation that, if adopted, would replace the EC’s current ePrivacy Directive with a more expansive regulation. Data privacy is a top priority for the EC, which seeks to establish a new privacy legal framework for electronic communications as part of a digital single market. The proposed regulation was developed with the intent to create better access for consumers and businesses to digital goods and services, level the playing field for digital networks, facilitate development of innovative services, and increase the growth potential of the digital economy.
  • Finally, the Consumer Financial Protection Bureau (CFPB) recently sued a bank for apparent unfair and deceptive practices related to enrolling customers into overdraft protection services. The suit contends that the bank violated the CFPB provision for implementing the Electronic Funds Transfer Act by misleading customers that overdraft protection was mandatory, concealing fees, deceptively seeking consent, and pushing back against customers who questioned the opt-in requests. Notably, the CFPB cites that the bank’s employee incentive program likely contributed to these issues, further highlighting the attention that the regulatory agencies are placing on sales practices and incentive compensation programs.

Even as Washington sorts itself out, financial institutions cannot lose sight of regulatory obligations and expectations that exist at the local, state, federal or even international level. The regulatory environment is likely to be quite dynamic in the foreseeable future, and financial institutions will remain challenged to manage their risks in this environment and not relax their compliance efforts.

Continue to follow our monthly roundups of compliance news here and on our site. The February issue is available here.

 

Cybercrime, Brand Damage Among Top Risks for Technology, Media and Communications Companies, Executives Say

gordon-tucker-3By Gordon Tucker, Protiviti Managing Director
Technology, Media and Communications Industry Leader

 

 

 

If improving brand protection isn’t a top-line agenda item in the cybersecurity discussions happening at the highest levels in your organization, it needs to be. In today’s era of lightning-quick social media sharing, brand protection has become even more important — and far more challenging — for technology, media and communications (TMC) companies. Two factors play a role:

  • Expanding use of social media and mobile applications by customers and employees: It is all too easy for outsiders to acquire and misrepresent personal and proprietary information.
  • The relentless tide of cyberthreats: The Identity Theft Resource Center (ITRC) reports that the number of U.S. data breaches reached an all-time high in 2016. Several leading TMC companies were among the businesses hit with high-profile, far-reaching, costly and reputation-damaging breaches last year.

In the face of these realities, including growing public disclosures of data leaks and breaches, many TMC companies are beginning to re-evaluate how they interact with other organizations and how they safeguard against breaches. Most C-level executives in this industry group also now realize that they themselves could be targets for hackers and other malicious actors seeking to gain access to personal records and other sensitive data.

There is no doubt that TMC executives, in general, are thinking a lot more about brand protection these days. In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, TMC executives ranked the following risks among the top five for their industry group in 2017:

  • Social media, mobile applications and other internet-based applications may significantly impact our brand, customer relationships, regulatory compliance processes and/or how we do business, and
  • Our organization many not be sufficiently prepared to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage our brand.

On the cyber-risk front, it is important for TMC companies to recognize that the customer and financial data they handle are not the only targets for hackers. An organization’s intellectual property (IP) can be even more valuable to some threat actors, including nation states. The loss or theft of IP not only could undermine a company’s ability to compete but damage its brand and reputation in unanticipated ways.

Without question, loss or theft of any type of high-value data can have lasting, negative effects on an organization from both operational and brand perspectives. Everything negative that happens to a company and becomes public can damage its brand – and cyber breaches and loss of IP are some of the fastest ways for this damage to occur. Given these considerations, management and the board must work together to manage the brand and make brand protection one of the company’s top priorities.

To engage in effective dialogue on this topic, a recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some guidance: Executives should take the lead in deciding what type of interaction they would like from the board and define how they want to involve the board in the brand protection process. And if the executives haven’t done this yet, then the board should waste no time in asking for their input.

Anticipating the Fifth EU AML Directive: What Financial Institutions Need to Know

matt-taylorBy Matt Taylor, Managing Director
Regulatory Compliance Practice

 

 

 

Money laundering regulations are proving to be as complicated as the shadowy financial transactions they are trying to prevent. A case in point: The Fourth European Union Anti-Money Laundering Directive (4AMLD), approved in 2015 and scheduled to go into effect June 26, 2017, has already been supplanted by 5AMLD — amended text addressing threats that have emerged in the period between the adoption and implementation of 4AMLD.

As it stands, the agreed 4AMLD text and effective date will remain, but financial institutions should anticipate additional regulatory changes from 5AMLD shortly thereafter. We issued a flash report last week, which outlines the proposed changes in 5AMLD and provides recommendations on how financial institutions can prepare for them.

There are five main requirements proposed by the 5AMLD that affect financial institutions:

  1. Virtual currencies. The 5th AMLD adds virtual currencies, anonymous prepaid cards and other digital currencies, such as bitcoin exchanges and wallet services, to the list of activities carrying the risk of terror financing. The 5AMLD better defines “virtual currencies” under EU law, and includes the requirement to adopt this legal definition in AML legislation across all member states. Under the proposed amendment, providers engaged in exchange services between virtual and hard currencies and custodian wallet providers will be required to apply customer due diligence (CDD), similar to what is already required for hard currency transactions.
  1. Identifying prepaid card owners. EU member states will be required to identify the customer in the case of remote payment transactions where the amount paid exceeds EUR50. After 36 months from the date 5AMLD enters into force (a date still to be determined), identification requirements will apply to all remote payment transactions. Certain exemptions may apply for “low-risk” customers where defined risk-mitigating factors are met.
  1. Beneficial ownership registers. Member states must comply with register requirements within 18 months of the 5AMLD implementation date. Registers must be interconnected to the European Central Platform within 18 months of implementation in accordance with the technical specifications and procedures set out in Article 4C of Directive 2009/101/EC. Technical requirements, including access controls and operational challenges, should also be considered and tested in preparation for compliance with 5AMLD requirements.
  1. Enhanced information sharing. 5AMLD requires member states to establish automated data clearinghouses at the national level to aggregate individual account ownership across multiple institutions. Data must be searchable by account holder, beneficial owner, IBAN number, and open and close dates, as applicable. Powers of EU Financial Intelligence Units (FIUs) will be enhanced through 5AMLD, as they will be permitted to request information from any obliged entity and would no longer be limited to identification of a predicate offense or suspicious activity report prior to an information request. The proposed amendments make information more easily accessible and align with international best practices.
  1. High-risk third countries. Member states will be required to apply specific enhanced due diligence (EDD) measures for transactions involving entities on a list of “high-risk third countries” defined by the European Commission. This is intended to reduce regulatory differences between member states, where some EU countries offer less-stringent controls in exchange for higher fees, allowing terrorists to exploit the weaknesses in these measures.

5AMLD has proved to be more controversial than 4AMLD, particularly with prepaid cards and virtual currencies being more tightly regulated and uncertainty regarding the implementation of centralized registers. Nevertheless, there is an ambitious timeframe for its adoption. With 4AMLD expected to become effective June 26, 2017 it is reasonable to assume that 5AMLD will become effective shortly thereafter, if not concurrently, and obliged entities should be ready to implement the proposed 5AMLD requirements.

Download the flash report for additional details and recommendations.

Doubling Down on AML: Higher Stakes for Casino Compliance

steve-wangBy Steve Wang, Managing Director
Internal Audit and Financial Advisory

 

 

 

Despite recent improvements in the gaming industry’s efforts to combat money laundering, enforcement actions by U.S. and foreign regulators have put casino operators on notice that their anti-money laundering (AML) programs and related internal controls are being subjected to greater scrutiny.

Consequences have escalated, and compliance officers face personal liability for AML violations on their watch, as a result of a court ruling that the Bank Secrecy Act (BSA) allows owners, officers, directors and employees to be held accountable, along with the organization.

Pillars of an Effective AML Program

Pillars of an Effective AML Program

Over the past two years, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has levied seven fines, for a total of $110 million — more than double the volume, and almost ten times the dollar value, of all AML fines against casinos in the previous 11 years. Future penalties may also be on the rise. The Federal Civil Penalties Inflation Adjustment Improvements Act, effective last August, requires agencies, including FinCEN, to make “catch-up” adjustments to the fines, as well as annual inflation adjustments. Many civil penalties haven’t been adjusted in decades, which means that penalties could rise substantially. And FinCEN isn’t the only federal agency levying fines. The U.S. Treasury and the Department of Justice have also fined casinos.

Casinos have long been the focus of government scrutiny because of the large amounts of cash they handle, which make them particularly vulnerable to money laundering and terrorist financing risks. But not all news is bad. A research report from the American Gaming Association suggests that the gaming industry has taken significant steps to comply with AML and counter-terrorism financing (CTF) requirements. In its December 2016 Mutual Evaluation Report, the international Financial Action Task Force (FATF) commented favorably on the increased number of quality SAR filings by casinos — 50,941 in 2015, versus 21,308 in 2012.

Nevertheless, the increased emphasis on disclosure runs counter to an established industry practice of protecting the privacy of high rollers, and so casino operators and their compliance staff may feel uncertain about the best way to reconcile their disclosure obligations with business objectives.

Protiviti recommends that casino compliance officers take actions to mitigate the compliance risk, such as:

  • Share risk assessments with the proper stakeholders – Effective AML programs should take a risk-based approach, which starts with conducting a risk assessment at the property level. Assessments should be reported to executive leadership, and used to customize compliance programs with a particular focus on customer due diligence (CDD) and transaction monitoring.
  • Develop and share CDD standards with employees – CDD programs must evolve and take a risk-based approach to gaining a better understanding of patron relationships and identifying those that may pose a threat. Additional security should be assigned to those higher-risk customers to verify sources of wealth, known associates, game play, and screening against government sanctions lists. Enhanced due diligence policies should be in writing and align with heightened regulatory expectations and industry best practices.
  • Request additional resources – Higher stakes and expanding regulatory requirements mean more people, dollars and systems will have to be dedicated to AML compliance. It is essential that compliance officers request sufficient funding support from executive leadership. Given the recent focus on individual liability, it’s in their best interests.
  • Share information with other casinos – Threat information can be exchanged legally under the safe harbor provision of the U.S. PATRIOT Act, Section 314(b); however, casinos were generally not aware that they are covered under the provision. Casinos are also allowed to share SARs with other casinos under the same parent company located in the U.S. Both of these rules make compliance easier, and casinos should update their sharing policies and procedures to reflect that.
  • Stay current in AML training – Management should revisit AML training modules for different job roles, both for casino operators and compliance personnel. Operators should be taught to recognize red flags, such as large transactions with minimal gaming activity and cash transactions that appear to be structured to stay under the $10,000 federal transaction reporting standards.

The recent Protiviti flash report, Higher Stakes for Casino AML Compliance, offers a wealth of additional information on the topic. You can download it here.