On Nov. 12, 2008, the Department of the Treasury and the Federal Reserve issued final joint regulations providing prohibitions on funding of unlawful Internet gambling, which implement the Unlawful Internet Gambling Enforcement Act of 2006. The regulations, which become effective on Jan. 19, 2009, and require compliance by Dec.1, 2009, set forth specific requirements for U.S. financial firms regarding establishing and implementing policies and procedures to prevent payments to gambling businesses in connection with unlawful Internet gambling.

The agencies' action comes only a few days after House Financial Services Committee Chairman Barney Frank (D-Mass.) sent a letter to Treasury Secretary Henry Paulson asking that Paulson put a stop to issuing these regulations. Frank called the proposed rules "deeply flawed" and reminded Paulson that testimony from Treasury Department and industry representatives indicated that it would be "particularly difficult to craft workable regulations." Furthermore, Frank's letter specifically cited the lack of a definition for "unlawful Internet gambling," as a reason for delaying issuance and implementation of the rules and identified the great burden the lack of such a definition would place on financial institutions. There is some speculation that the new administration will attempt to invalidate these rules. We will provide further information on that possibility as it becomes available.

Changes to the Proposed Rule

The final rule remains substantially similar to rule proposed in October 2007. The final rule still retains a focus on due diligence by non-exempt participants in designated payment systems ("Participants"). It adds guidance as to what due diligence steps Participants should take. In particular, it sets out what documentation a Participant should collect from a commercial customer who presents more than a minimal risk of restricted transactions in order to comply with the rule. In short, Participants with commercial customers who present a risk of engaging in restricted transaction should request those customers to provide copies of licenses, or a legal opinion that no license is required, and a third-party certification that the commercial customer's business had adequate safeguards in place to ensure that it stays within legal limits.

The final rule, like the proposed rule, also does not define unlawful Internet gambling. Despite numerous comments calling for a more precise definition than that contained in the Act, the Agencies refused to provide one, again citing a reluctance to interfere with the patchwork of state laws that regulate gambling.

Also consistent with the proposed rule, the final rule does not establish or publish a "blacklist" of businesses involved in unlawful Internet gambling. The Agencies refused to do so, claiming that such a list would be inefficient and would impermissibly require the Agencies to interpret laws that are written and enforced by other entities such as State legislatures and law enforcement agencies.

The final rule similarly does not answer the open question of whether poker is a "game of chance" or whether betting on poker is a "bet or wager" under the act, despite numerous comments requesting such a definition. Again, the Agencies rejected the invitation for a more precise definition, citing an unwillingness to interpret Federal and State law. The comments to the rule, however, do seem to indicate that "even if chance is not the predominant factor in the outcome of a game, but still was a significant factor, the game could still be deemed to be a 'game subject to chance' under a plain reading of the Act." In any event, the Agencies again cited the due diligence process and the proposed policies in the rule that provide for collecting documentation regarding licenses and legal opinions regarding the legality of any particular Internet gambling business.

Several changes were made to the proposed regulations in response to comments. A few of the most notable are:

  • A new definition of "block" to make clear that Participants are not required to freeze funds when they block a restricted transaction.
  • New definitions of "commercial customer" and "restricted transaction" that make clear the final rule does not cover consumer accounts.
  • An added definition of an "Operator" of a payment systems to mean any entity that provides centralized clearing and delivery services between Participants in the designated payment system and maintains the operational framework for the system.
  • A revision of the definition of "money transmitting businesses" that limits the rule's application to those businesses that permit customers to initiate money transmission transaction remotely from a location other than a physical office of the money transmitting business. Furthermore, the final rule exempts all Participants in a money transmitting system other than the Operator.
  • A refined set of exemptions that limit the rule's coverage to exempt every participant in a designated payment system, except those the Participants that have the relationship with the commercial customer.
  • Clarification that the rules apply only to the U.S.-based offices of Participants.
  • The deletion of a provision requiring Participants to monitor the Internet for the unauthorized use of their trademarks.
  • The deletion of provisions providing fines for Participants that have violated payment system rules developed for the purposes of complying with this section.

Q&A on the Final Rule

In light of these changes, who is covered?

The rules cover certain Participants in a number of different payment systems: automated clearing house systems ("ACH"), card systems, check collection systems, wire transfer systems and money transmitting businesses to the extent they engage in the transmission of funds (not including items such as checks, money orders, or currency exchange) and permit customers to initiate fund transactions remotely. § __.3.

Though the term "participant" is broad, the rule provides a series of exemptions that limit the rule's coverage to exempt every participant in a designated payment system except the Participants that are, for the most part, those that have the relationship with the commercial customer. All other Participants may rely on those parties' statements that they have complied with the rules. For example, in ACH systems, only the depository financial institution and third-party processor, and for foreign transactions the receiving gateway operator, must comply. Similarly, all Participants in a check collection system are exempt, except for the depository bank. For money transmitting businesses, only the operator (the party that provides centralized clearing and delivery services and maintains the operational framework) must comply—and, in a change from the proposed rule, only if a customer may transmit money from a remote location. Likewise, Participants in a wire transfer are exempt, except for the beneficiary's bank. § __.4.

Participants in "operator-driven" payment systems, such as a card system, may rely on a written statement or notice by the operator of the payment system that the operator has designed or structured its policies and procedures to comply with the regulation. § __.5(b)&(c).

What do I have to do now?

While the rules do not require compliance until December 1, 2009, nothing in the rules prevent Participants from beginning compliance at an earlier date. In fact, some Participants began compliance programs when the proposed rules were announced over two years ago. While a Participant could take a "wait and see" approach, given statements that the new administration might do away with these regulations, such an approach places those Participants in a position where they may need to scramble in order to meet a compliance deadline.

In order to comply, covered Participants must develop a written due diligence plan with policies and procedures reasonably designed to identify commercial customers that present more than a minimal risk of engaging in unlawful Internet gambling transactions ("restricted transactions"). § __.5.

At a minimum, the written due diligence plan should include the following elements:

  • Updated account opening procedures to provide employees opening accounts with guidelines defining when those employees should seek additional documentation from a commercial customer, what documentation will be required, the process is for reviewing the provided documentation, and guidelines for determining whether to open an account.
  • A form notice for all of its commercial customers through the account or commercial customer relationship agreement or otherwise that restricted transactions are prohibited from being processed through the account or relationship.
  • Policies and procedures to be followed if the Participant gains actual knowledge that its commercial customer has originated restricted transactions, including when the transaction should not be completed and when a customer's account should be closed.
  • ACH and Check Collection System Participants' plans should include policies and procedures for the receiving gateway operators and third party processors that receive instructions to originate a transaction from a foreign sender where the participant has actual knowledge that such instructions included instructions for restricted transactions.
  • Card system plans must provide for a coding system, such as transaction codes or business/merchant category codes that allow the card system operator or to identify and deny authorization for a transaction that the coding indicates may be a restricted transaction, as well as procedures for ongoing monitoring and testing to ascertain the accuracy of coding and analyze payment patterns to detect suspicious payment volumes.

What transactions must the due diligence process identify?

Restricted transactions are any transaction or transmittal that the Act prohibits any person engaged in the business of betting or wagering from knowingly accepting in connection with the participation of another person in unlawful Internet gambling. § __.2(y). This includes credit or the proceeds of credit (including credit extended through use of a credit card), electronic funds transfers or funds transmitted by or through a money transmitting business, or any check, draft or similar instrument payable at or through any financial institution. § __.2(y)(1-3).

As described above, the final rule does not to provide much guidance as to the definition of "unlawful Internet gambling" or what constitutes a "bet or wager" and leaves Participants with the task of navigating Federal and State law to determine which entities pose a risk of engaging in restricted transactions. § .__(bb).

A practical effect of these rules is that Participants will have to conduct due diligence and require additional documentation (as described below) from a greater number of commercial customers than they otherwise would if the final rule had provided more specific definitions or a blacklist. The suggested policies and procedures for the due diligence process encourage Participants in payment systems to place most of the burden on businesses engaging in lawful Internet gambling by stating that Participants can comply with the rule's due diligence requirements by obtaining certain documentation from a lawful Internet gambling business. § __.6. The rules thus seem to direct Participants to take the approach that if they have any doubt about whether the commercial customer engages in restricted transactions, they should request documentation from the commercial customer.

What documentation should I request from a commercial customer I suspect might engage in unlawful Internet gambling transactions, and what do the new UIGEA regulations mean for gambling businesses?

The rules require Participants to request, and gambling businesses to provide, two pieces of documentation in order to comply with the rules' due diligence process.

  1. Evidence of legal authority to engage in Internet gambling business. § __.6(b)(2)(ii)(B)(1). This evidence will take the form of a copy of the commercial customer's license and a written commitment by the commercial customer to notify the Participant if there is any change in its legal authority to engage in its Internet gambling business. § __.6(b)(2)(ii(B)(1)(i & ii). The comments to the final rule make clear that if the business does not have a license, the commercial customer must provide a reasoned legal opinion by the customer's counsel that demonstrates that the commercial customer's Internet gambling business does not involve restricted transactions. If any questions remain, the rule directs Participants to consult the applicable licensing authority.
  2. A third-party certification that the commercial customer's systems for engaging in the Internet gambling business are reasonably designed to ensure that the commercial customer's Internet gambling business will remain within the license or otherwise lawful limits, including with respect to age and location verification. § __.6(b)(2)(ii(B)(2).

What are the penalties for non-compliance?

The rules do not provide any additional penalties or enforcement mechanisms, and the final rule deleted the proposed rule's suggested fines for Participants who violate payment system rules developed to comply with this rule. UIGEA itself specifically provides that requirements regarding policies and procedures to identify and prevent restricted transactions shall be enforced exclusively by the Federal functional regulators with respect to the designated payment systems and participants that are subject to regulation under 505(a) of the Gramm-Leach-Bliley Act (15 U.S.C. § 6805(a) and § 5(g) of the Commodity Exchange Act (7 U.S.C. § 7b-2), and the FTC for all other Participants. Neither UIGEA nor the final rules provide a private right of action for violations of these rules.