The Fundamentals of Compliance

Article originally appeared in Gaming Management on 3/15/08

The Fundamentals of Compliance

Casino compliance plans are as unique as the casino companies they protect. These plans are designed to identify and evaluate risks arising in the course of business that may negatively affect objectives in order to ensure sound and appropriate gaming control. The nature and source of these risks and the ways they are identified and evaluated are particular to each company, but all effective compliance plans share certain attributes, such as a sound compliance policy and clear lines of authority and reporting.

Company Policies

A good starting place for an effective compliance plan is well-reasoned and committed company compliance policy. The written policies should set out the reason for and objectives of the compliance plan, together with the purpose of the policies. Typically, the policies are designed to reinforce overall objectives of regulatory control, including that licensed gaming is to be conducted honestly and competitively, free from criminal and corruptive elements. While some policies branch out to cover compliance with a variety of laws, such as election laws and corrupt practices, in the context of gaming regulation the focus should be the timely identification and exclusion of unsuitable persons from gaming activities and the prevention, or prompt detection and correction, of unacceptable situations. The definitions of an unsuitable person and an unacceptable situation are helpful in focusing policies to meet company objectives.

An unsuitable person is defined as someone whom gaming authorities or company officials determine to be unfit to be associated with a gaming licensee. This may be a subjective decision; for example, barring an individual notorious for unsavory personal conduct or affairs. In certain circumstances, suitability may be determined more objectively, based on a prior denial of a gaming license or other regulatory approvals, felony convictions involving moral turpitude, gaming law, narcotics law, or any criminal-related activities. An unsuitable situation is any event or circumstance that may adversely affect the objectives of gaming control by diminishing the public faith in the ability of the gaming authorities to assure the honesty of the games and the integrity of the industry. Both objective and subjective criteria should be set forth in the compliance policies to identify unsuitable persons and activities.

The policies also should set out the responsibilities of officers, directors and employees. They should mandate adherence to the compliance plan and state the consequences for non-compliance. Penalties for violations may include prosecution, demotion and summary termination of employment. Communication, education and training are key components of success. Casino management and officials should lead by example — as they would with any critical company objective — by fully complying with the policies to set the proper “tone at the top.” Underlying compliance policies are methodologies for obtaining information regarding potential unsuitable persons or situations. One source of information is a comprehensive set of internal reporting systems, including self-reporting by corporate officers and upper management. Effectively, these individuals should have a clear and defined affirmative obligation to report unsuitable situations, whether personal (such as being arrested) or involving business operations. Another way to collect information about compliance is through whistleblower programs. These programs often involve a delineated system for anonymously reporting unsuitable situations observed or suspected by company employees or others. Whistleblowers may be found inside and outside the company. Insiders include employees and directors. Outsiders may be vendors, regulators and investors. In addition, information received from gaming regulators or other law enforcement regarding operational issues or relationships may be a good source to identify compliance risks. This could include a written notice from gaming authorities concerning alleged wrongdoing that could have an adverse effect on the objectives of gaming control or otherwise violate compliance policies. The company also may automatically collect information on transactions or situations, such as material civil litigation, material transactions, major developments, material corporate financings, material contracts with major suppliers of goods and services, lease contracts, incidents reported in suspicious activity reports, and internal audit reports. Collected information should be limited to only material or major matters. For example, suppliers receiving more than $100,000 annually would be required to complete preprinted background forms. The plan should then specify what happens to the information once submitted. The compliance officer may have the responsibility to review the forms for completeness and conduct other investigations to complete the information required for the compliance committee’s review. Regardless of the source of information, the compliance plan should provide standardized directions for the compliance officer to conduct any investigation necessary to assist the compliance committee with reaching conclusions about allegations. The compliance committee efforts should be focused on reviewing information and reports developed by the compliance officer and determining a proper course of action. The committee should be afforded the cooperation of company personnel, including security, surveillance and internal audit, to accomplish the company’s compliance objectives. In addition, the compliance committee should have the authority and financial resources to hire outside expertise if needed to conduct a complete and comprehensive investigation.

All compliance committee activities, except for certain investigative actions, should be transparent to company directors, top management and gaming regulators. This can be accomplished by disciplined recordkeeping and reporting. The compliance plan should prescribe production, maintenance and retention requirements for records. This should include original complaints, police reports, employment applications, records of investigations and other materials. Finally, the compliance committee should maintain detailed minutes of meetings and decisions.

Authority and Reporting

To function, a gaming compliance plan requires structure and a clear delegation of authority and reporting. In most companies, major responsibilities for monitoring and ensuring compliance fall on a specially appointed compliance committee. The compliance committee helps the company comply with gaming regulations and other laws. The committee’s primary purpose is to identify and properly investigate potential violations of gaming statutes and policies, and to formulate recommendations on a course of action that the company may consider in appropriately addressing specific transactions or situations based on the collected materials and collective experience. Ultimately, the company, not the compliance committee, has the responsibility to determine the course of action related to unsuitable persons or unsuitable situations, and the responsibility to interface with the regulators. The composition of the compliance committee, including the number of members, qualifications and division of duties between internal staff members (officers and employees) and outside members, should be described as part of the compliance plan. Historically, compliance committees have consisted of the company president, a chief accounting officer and one or more independent members. These independent members are typically selected based on their familiarity and experience with law enforcement, regulated businesses, the business activities of the company, or gaming control. They are expected to be sensitive to the concerns of gaming authorities and capable of determining the compliance with gaming statutes and company compliance policies. In addition, the compliance plan should delineate how compliance committee members are to be appointed and how changes may be made. In many jurisdictions, the company may be required to report or obtain approval for changes in compliance committee membership. If so, this should be reflected in the compliance plan. The plan should also cover administrative matters like the frequency of meetings, the definition of a quorum and compensation. Company policies and the compliance committee represent two key aspects of an effective compliance plan. Another is the use of a corporate compliance officer as the key liaison between the company and the compliance committee. The compliance officer is responsible for coordinating, monitoring, testing and reporting company compliance efforts. The compliance officer has the responsibility for collecting necessary information needed by the compliance committee to make informed decisions. To avoid confusion and possible duplication of efforts, the compliance plan must provide a description of duties, responsibilities, authority and lines of reporting for the compliance officer, the compliance committee, senior management, company employees and the board of directors. Typically, the compliance committee will report to the board of directors, and the compliance officer will report to management. If designed correctly, the compliance plan is a management tool, with each key player serving a distinct and appropriate role. However, compliance plans may fail by not properly defining these functions and responsibilities. A compliance officer who believes he or she has the obligation to collect, judge and report situations to regulators outside the compliance process will soon lose the faith of the company and the compliance committee. Moreover, regulators will often receive raw information without informed review by the compliance committee. Gaming regulators may ask to review

1) the proceedings and recommendations of the compliance committee;

2) the due diligence of the compliance officer in collecting and presenting information;

3) the sufficiency of the company’s consideration of compliance issues and response to committee recommendations; and

4) the accurate reporting of the situations to the authorities. This inquiry is conducted within the confines of the delegated authority set forth in the compliance plan. As we noted at the beginning, no two compliance plans are alike, just as no two casino companies are alike. To be effective, each plan must reflect the individual nature of the company it serves. However, to be truly effective, compliance plans must meet the fundamental requirements outlined here.

Click here for a PDF of original article