Regulated gaming is booming in the United States. This is particularly true of newer forms of gambling, such as skill games, fantasy sports, and social casino games played on the internet and mobile applications. In fact, gaming is now legal in some form in 48 out of 50 states and the District of Columbia, and 36 states have legalized sports gambling since 2018. Gaming revenues in 2021 amounted to $53 billion with the American Gaming Association (AGA) reporting that commercial gaming revenue for Q1 2023 reached $16.6 billion.

This growth in remote gaming presents unique compliance challenges that may be exacerbated by the absence of face-to-face customer interactions, including new and enhanced money laundering risks and social responsibility obligations. To date, the web-based and app-based gaming sector has not been subject to significant enforcement by U.S. federal or state criminal or regulatory authorities. But, as rapid expansion of this sector of the gaming market continues, we should expect that criminal and regulatory scrutiny will also increase.

The gaming world should be poised to address these emerging risks before they become legal and/or public relations liabilities. However, in the absence of robust enforcement precedent, how can international gaming businesses, particularly those seeking to establish themselves in the United States, focus their compliance efforts on the activities and controls most likely to be scrutinized? Some important cues may come from the United Kingdom, whose Gaming Commission (the Commission), in two recent actions against the Entain Group and the William Hill Group (WHG), has aggressively enforced British gambling regulations relating (in large measure) to web-based gaming.

Below, we briefly survey current U.S. gambling laws and identify the agencies that police them. Then, using the Entain Group and WHG enforcement actions as examples, we offer our thoughts about measures that will help emerging and established businesses remain compliant.

The State of Play: The Laws and Authorities Shaping US Regulated Gaming

Gaming in the United States is currently regulated primarily by the individual states, each of which has the power to prohibit or permit any of the myriad forms of gambling within its borders. This patchwork of laws makes it difficult for interstate business activities to function efficiently and compliantly. Fortunately, the states’ varied gambling legal regimes share many key features.

The U.S. Department of the Treasury (Treasury) Financial Crimes Enforcement Network (FinCEN) also has regulatory authority over most gaming activity under the Bank Secrecy Act (BSA), which defines casinos operating in the United States as financial institutions for purposes of anti-money laundering (AML) controls and federal reporting requirements.

Further complicating the legal compliance challenge is that, in addition to the governmental bodies with regulatory authority over gaming, there are eight different criminal and civil laws that fundamentally shape gambling at the federal level, governing activities within all the states. These include:

• The Wire Act, 18 U.S.C. § 1084.
• The Unlawful Internet Gambling Enforcement Act (UIGEA), 31 U.S.C. §§ 5361-67.
• The Illegal Gambling Business Act, 18 U.S.C. § 1955.
• The Wagering Paraphernalia Act, 18 U.S.C. § 1953.
• The Johnson Act, 15 U.S.C. § 1953.
• The Anti-Lottery Act, 18 U.S.C. § 1175.
• The Indian Gaming Regulatory Act, 25 U.S.C. §§ 2701-21.
• The Interstate Horseracing Act, 15 U.S.C. §§ 3001-07.

Furthermore, there are several ancillary, broadly applicable federal criminal laws that likewise affect state gaming. These laws include the federal money laundering statutes (18 U.S.C. §§ 1956 and 1957), the Racketeering and Corrupt Organizations Act (RICO) (18 U.S.C. §§ 1961-68), and the Travel Act (18 U.S.C. § 1952).

Beyond FinCEN’s regulatory authority, multiple U.S. agencies and their investigatory arms enforce criminal and civil laws associated with gaming. These agencies include the U.S. Department of Justice (DOJ), which investigates criminal activity through the Federal Bureau of Investigation (FBI) and prosecutes offenses nationally through its multitude of lawyers. In addition, the Treasury has enforcement authority (beyond FinCEN) through the Internal Revenue Service (IRS), which oversees taxation and other potentially relevant components.

These are the principal federal entities expected to take primary enforcement action in relation to internet gaming in the United States. But what form will the enforcement action take, particularly as we move away from brick-and-mortar casinos with physical currency to increasingly web- and app-based gaming? Some answers may lie in recent enforcement activity by gaming authorities across the Atlantic.

Recent UK Enforcement

Two recent enforcement actions by the Commission, a public body that regulates gambling and oversees gaming law in the UK, provide helpful insight into the possible evolution of law enforcement with respect to internet gaming in the United States. The Commission has ramped up its enforcement activity in recent years and, in the last year, has brought its two largest enforcement actions ever against UK-based gambling businesses Entain Group and WHG.

On August 17, 2022, the Commission—after conducting a compliance assessment and regulatory review—announced an enforcement action against Entain Group for having committed “social responsibility and anti-money laundering failures” at its online and land-based businesses. Entain’s social responsibility (i.e., safer gambling) failures included insufficient interactions with customers to minimize customers’ gambling risks, failure to escalate customers for safer gambling review, and allowing customers subject to gambling inquiries or restrictions to open accounts. Entain’s AML failures included failing to adequately assess the risks of use of its online business for money laundering or terrorist financing, allowing large customer deposits without sufficient source-of-funds checks, failing to conduct prompt or sufficiently thorough customer due diligence, and allowing customers to gamble large amounts without being monitored.

As a result of these violations, the Commission required Entain to pay approximately $20.6 million (£17 million) in penalties. More specifically, Entain’s online business, LC International Limited, paid £14 million in penalties, while Entain’s land-based business, Ladbrokes Betting & Gaming, paid £3 million in penalties. Conditions were also added to Entain’s gambling-operator license, including that (1) an Entain board member be designated to oversee Entain’s improvement plan, and (2) that a third-party auditor review Entain’s compliance with the Commission’s License Conditions and Codes of Practice within 12 months of the enforcement action. At the time, this was the largest gambling enforcement action ever by the Commission.

The Commission announced an even larger enforcement action against WHG on March 28, 2023. As with the Entain Group enforcement, the Commission conducted a compliance assessment and regulatory review and identified social responsibility and anti-money laundering deficiencies. WHG’s social responsibility failures included insufficient controls to protect new customers or to address high-velocity spending and duration of play until customers, in a short period of time, had been exposed to risk of substantial loss; failure to promptly identify customers at risk of gambling-related harm, including identifying customer behavior that should have prompted further inquiry; and generally ineffective controls, including failing to apply a 24-hour delay between receiving a request for a credit limit increase and granting the request. WHG’s AML failures included permitting large deposits without appropriate checks, inadequate policies and procedures on proper steps after identifying customers who fit certain risk profiles, and deficiencies in AML staff training.

The Commission required WHG to pay approximately $24 million (£19.2 million) in penalties to settle the enforcement action. WHG (International) Limited, which runs williamhill.com, must pay £12.5 million in penalties, and Mr Green Limited, which runs mrgreen.com, must pay £3.7 million as part of the settlement. WHG’s land-based business, William Hill Organization Limited, must pay £3 million. As with Entain, certain conditions were added to WHG’s operating license, including (1) that a board member be designated to oversee WHG’s improvement plan, and (2) that WHG undergo a third-party audit to assess the implementation of AML and safer gambling policies, procedures, and controls.

Lessons Learned and Key Compliance Focus Areas

As web- and app-based gaming evolves, many uncertainties remain regarding technologies and enforcement posture. However, some key compliance themes are emerging of which companies in this space should be aware:

• Leverage “old-school” compliance standards to address emerging risks. Gaming companies moving into the web- and app-based spaces can learn from existing knowledge. Much can be learned from the experiences of brick-and-mortar casinos. Where possible, U.S. regulators will look to their historical expectations and enforcement actions in setting expectations of emerging gaming typologies. Gaming companies should be sure to focus first on developing robust policies and procedures around the major aspects of AML compliance requirements set out in relevant regulations. These include thorough and evolving risk assessment implicating each of their products/games, development of written policies and procedures, customer identification and diligence, pattern-based and automated transaction monitoring, enhanced diligence and monitoring for higher-risk categories of customers (e.g., high rollers and red-flagged customers), appropriate staffing and training, and an effective suspicious activity reporting protocol.
• Corporate social responsibility is an increasingly critical compliance priority. Beyond criminal or regulatory compliance requirements, regulated gaming businesses must be mindful of their responsibility to protect (1) gamblers who are at risk of harming themselves through gambling, and (2) minors, who may attempt to access their products remotely. With regard to potential problem gamblers, businesses should implement policies and procedures to ensure that at-risk gamblers are quickly identified; thorough due diligence is conducted; appropriate limitations are established in terms of betting amounts, deposits, credit requests, and betting activity within a certain time frame; and the individual is tracked and monitored throughout their relationship with the business and its affiliates. In the case of minors, companies should ensure that they have best-in-class identification and monitoring systems to assess the risk of minors using their products. This should include consideration of emerging technologies, such as facial recognition for identification verification, as these technologies become increasingly prevalent. These technologies are also important to prevent use of gaming products by prohibited parties, such as those subject to U.S. economic sanctions or criminal enforcement.
• U.S. criminal money laundering laws are expansive. All gaming activities with a U.S. nexus will be subject, at a minimum, to federal criminal prohibitions on money laundering, including broad prohibitions on accepting criminal proceeds under 18 U.S.C. 1957. These laws have expansive jurisdictional scopes, often providing for U.S. criminal enforcement action based on relatively limited U.S. contacts. Moreover, U.S. law enforcement authorities generally take a skeptical view of gaming, regarding it as a relatively high-risk industry where diligence and know-your-customer expectations are significant. U.S. authorities may penalize failures to address red flags when criminal proceeds are accepted or moved through a brick-and-mortar casino, as they suggest potential willful blindness by casino personnel. We should expect a similar posture with regard to gaming conducted in a remote environment, where transaction monitoring and automated controls may be even easier to implement and information about customers may be available in novel forms (e.g., internet protocol (IP) address geolocation and screening of cryptocurrency wallet address activity). Given the breadth of criminal enforcement opportunities, companies engaged with web- and app-based gaming should be thinking beyond regulatory compliance requirements such as the BSA. Even where companies operating in this sector may not be strictly required to comply with such laws, they should consider building AML compliance programs that are designed to prevent money laundering within their operations and that defend the company against criminal enforcement risks in the event of an inquiry.
• Virtual/cryptocurrency presents new challenges. Consumer demand for alternative currency options cannot be ignored, particularly in the world of remotely accessed products. While the tools available to vet and trace accounts associated with virtual currency are far more robust than they were only a few years ago, the risks presented by accepting such currencies are still exacerbated by the inherent potential for anonymity, the speed of transactions, and the regular intervention of new technologies, new market participants, and new currencies. The significant—and apparently increasing—pace of criminal and regulatory enforcement in the virtual currency space also raises risks that should not be ignored. As such, any gaming company considering acceptance of virtual currencies should conduct a thorough analysis regarding the regulatory requirements that may apply to their activities (as well as the regulatory status of their payment processors and other partners/counterparties). They also should ensure that their AML vetting and monitoring procedures are sufficient to address the unique risks posed by these types of transactions.

Conclusion

Surveying the best compliance path will be challenging for businesses seeking to enter the online U.S. gaming market. The growth of internet gaming in the United States presents significant business opportunities, but it also presents legal compliance risks created by the unpredictability of law enforcement efforts, which are still catching up with the realities of web- and app-based gaming. The confusing overlay of state and federal laws that apply to gaming in the United States compounds these risks. Following the recommendations above, however, may help avoid unwanted scrutiny from federal and state authorities.