Bank Secrecy Act for Online Casinos: 31 CFR Part 1021 Compliance Obligations Explained

Every online casino operating in a US-licensed market is a financial institution under federal law. That designation, established by 31 U.S.C. § 5312(a)(2)(X), is not a regulatory nuance or an aspirational compliance standard. It is a statutory fact that triggers the full weight of the Bank Secrecy Act and its implementing regulations at 31 CFR Part 1021. Compliance teams treating Title 31 as secondary to state gaming compliance are misreading the risk landscape entirely.

The BSA, formally the Currency and Foreign Transactions Reporting Act of 1970, codified at 31 U.S.C. §§ 5311 through 5336, was enacted to detect and prevent money laundering by requiring financial institutions to maintain records and file reports that create a financial intelligence trail for law enforcement. The Financial Crimes Enforcement Network (FinCEN), a bureau of the Department of the Treasury, administers and enforces the BSA. Casino-specific obligations are housed in 31 CFR Part 1021, which FinCEN separated from the legacy 31 CFR Part 103 framework when it reorganized its regulations into Chapter X in 2011.

Who 31 CFR Part 1021 Covers

The coverage definition matters before any other obligation. Under 31 U.S.C. § 5312(a)(2)(X), a casino, gambling casino, or gaming establishment constitutes a “financial institution” when it meets two conditions: it must be licensed as a casino under the laws of any state or political subdivision of any state, and it must have annual gaming revenue exceeding $1,000,000. An Indian gaming operation conducted under the Indian Gaming Regulatory Act qualifies under the same section, provided it is not limited to Class I gaming as defined in that Act.

“A casino, gambling casino, or gaming establishment with an annual gaming revenue of more than $1,000,000 which is licensed as a casino, gambling casino, or gaming establishment under the laws of any State or any political subdivision of any State.”, 31 U.S.C. § 5312(a)(2)(X)

Online casinos licensed in New Jersey, Pennsylvania, Michigan, or West Virginia fall within this definition the moment their annual gaming revenue exceeds the $1 million threshold. The threshold has never been adjusted for inflation since the statute’s original enactment in 1970, in 2025 equivalent purchasing power terms, $1 million in 1970 corresponds to approximately $82,900, meaning virtually every active online casino operator will meet it. The practical result is that the threshold functions as an automatic inclusion for any operating online casino platform, not a meaningful safe harbor.

The section at 31 CFR § 1021.100 sets out definitions applicable to Part 1021. For online operators, the definition of “casino” and the scope of “gambling” activities covered are broadly construed to include digital equivalents of table games, slot activity, poker, and sports wagering where gaming revenue is attributable to the casino licensee. Operators with hybrid land-based and online operations compute revenue on an aggregate basis, not per channel.

The AML Program Requirement: 31 CFR § 1021.210

Section 1021.210 requires every casino to develop and implement a written anti-money laundering program reasonably designed to prevent the casino from being used to facilitate money laundering or the financing of terrorist activities. The program must be approved by senior management and made available to FinCEN or its designee upon request.

The USA PATRIOT Act, signed into law on October 26, 2001, reinforced and codified the four structural requirements that an AML program must satisfy. These requirements, embedded in the BSA as amended and reflected in the § 1021.210 framework, are: a system of internal policies, procedures, and controls, the designation of a compliance officer responsible for day-to-day operations, an ongoing employee training program, and an independent audit function to test the program’s effectiveness.

Each pillar carries practical obligations. Internal controls must be calibrated to the casino’s specific risk profile, covering account opening, cash handling, wire transfers, patron identification, and transaction monitoring. The designated compliance officer must have the authority and resources to implement the program, not merely serve as a nominal appointee. Training must be ongoing rather than a single onboarding exercise, covering identification of suspicious behavior, reporting procedures, and current money laundering typologies relevant to online gaming. Independent testing must be conducted by personnel not involved in the program’s day-to-day operation, and the results must be documented.

Online casinos face a structural complication that land-based casinos do not. Physical cash handling is absent or minimal, but the digital equivalents of suspicious cash activity, such as rapid deposit-and-withdrawal cycles without meaningful game play, layering through multiple payment instruments, use of third-party funded accounts, and chip dumping in poker environments, require transaction monitoring systems capable of detecting pattern-based anomalies rather than simple cash volume thresholds.

Currency Transaction Reports: 31 CFR §§ 1021.310, 315

Under 31 CFR § 1021.310, a casino must file a Currency Transaction Report (CTR) with FinCEN for each transaction involving the physical transfer of currency of more than $10,000 by, through, or to the casino. The $10,000 threshold applies to the aggregate of currency transactions conducted by or on behalf of the same person during a single gaming day. A “gaming day” is the normal business day of the casino as defined in its own internal accounting procedures, typically a 24-hour period.

The form used is FinCEN Form 112. The casino must file within 15 calendar days following the transaction. The report must include the patron’s name, address, Social Security number or taxpayer identification number, date of birth, and the nature and amount of the transaction. For online casinos, the “currency” at issue is almost exclusively electronic funds, which triggers equivalent reporting obligations when those transfers cross the threshold in a single gaming day.

Exemptions are narrow. Section 1021.315 permits casinos to exempt certain transactions from CTR reporting, but the available exemptions are more restricted than those available to banks under 31 CFR Part 1020. Casinos cannot exempt transactions by businesses or individuals simply because of a longstanding relationship. The exempt-person regime that banks use to avoid repetitive CTR filings for well-known commercial customers does not apply to casinos in the same form. In practice, online casinos should assume that every qualifying electronic transaction requires a CTR filing absent specific regulatory guidance to the contrary.

Structuring, the deliberate breaking up of transactions to avoid the $10,000 CTR threshold, is a separate federal offense under 31 U.S.C. § 5324, regardless of whether the underlying funds have any criminal origin. Casinos that know or suspect a patron is structuring are required to file a Suspicious Activity Report rather than simply declining to file a CTR. Allowing structuring to continue without reporting it exposes both the casino and its compliance officers to criminal liability.

Suspicious Activity Reports: 31 CFR § 1021.320

The SAR obligation under § 1021.320 is the cornerstone of casino AML compliance and the area that generates the most enforcement scrutiny. A casino must file a SAR when it knows, suspects, or has reason to suspect that a transaction or pattern of transactions involves funds from illegal activity, is designed to evade BSA reporting requirements, has no apparent lawful purpose, or involves the use of the casino to facilitate criminal activity.

The SAR filing threshold for casinos under § 1021.320 is $5,000, lower than the CTR threshold and reflecting the legislative judgment that suspicious activity at lower amounts warrants reporting. The filing deadline is 30 calendar days from the date on which the suspicious transaction is detected. If no suspect can be identified at the time of initial detection, the casino has 60 days to file from the detection date. There is no provision for delaying filing indefinitely because an internal investigation is ongoing.

Financial institutions must file a SAR when they know or suspect that funds come from illegal activity or are structured to evade BSA requirements, or when the institution appears to be used to facilitate criminal activity. The resulting database administered by FinCEN is available to US criminal investigators and foreign financial intelligence units worldwide.

The tipping-off prohibition is absolute. Under the Annunzio-Wylie Anti-Money Laundering Act amendment to the BSA, a casino that has filed or is considering filing a SAR cannot disclose to the subject of that report, or to any person involved in the transaction, that a report has been filed. Violation of this prohibition is itself a federal offense. All SAR filings are exempt from disclosure under the Freedom of Information Act. The safe-harbor provision under 31 U.S.C. § 5318 protects casinos from civil liability for SAR filings made in good faith.

For online casinos, the SAR obligation encompasses a broader set of triggering behaviors than traditional cash-focused land-based patterns. Relevant indicators include players making significant deposits immediately followed by withdrawals with minimal gambling activity, use of multiple payment methods on a single account, accounts funded by third parties, unusual bonus-claim patterns suggesting coordinated play, and rapid account-opening and account-closing cycles. Transaction monitoring systems must be calibrated to flag these patterns at or above the $5,000 threshold, not merely the $10,000 CTR level.

Recordkeeping Requirements: 31 CFR §§ 1021.400, 1021.410

Section 1021.400 establishes the general recordkeeping obligation: casinos must retain records sufficient to reconstruct any transaction and to permit reconstruction of the casino’s compliance with Part 1021. The minimum retention period is five years from the date of the record.

Section 1021.410 specifies the records casinos must obtain and retain for certain transactions, including purchases of chips, tokens, or gaming credits, the exchange of currency, the redemption of chips or tokens, and deposits to or withdrawals from patron deposit accounts. For each of these transactions above prescribed thresholds, the casino must obtain and retain the patron’s name and permanent address, social security or taxpayer identification number, and a description of the transaction. Where verification of identity is required, the casino must retain the type and number of the identification document used and its issuing jurisdiction.

Online casinos must maintain electronic records meeting these standards. The fact that transactions are digital does not reduce the retention obligation, it shifts the compliance challenge from physical document storage to structured data governance. Records must be maintained in a form that is retrievable on request from FinCEN, the IRS (which conducts Title 31 examinations of casinos), or law enforcement. Access must be available within a timeframe that permits timely response to subpoenas or civil investigative demands.

Information Sharing: 31 CFR §§ 1021.520 and 1021.540

Two separate information-sharing regimes operate under Part 1021, each with different scope and obligations.

Section 1021.520 governs mandatory cooperation with FinCEN under the Section 314(a) program. When FinCEN issues a 314(a) request, a specific information demand used to identify accounts or transactions held by persons suspected of terrorism or money laundering, a casino must search its records and report any match to FinCEN within two weeks of the request date. The 314(a) system is not a request that casinos may decline. It applies to accounts held, transactions conducted, and beneficial ownership information maintained in records during the preceding 12 months. Positive matches are reported directly to FinCEN, the casino does not contact the subject or the requesting law enforcement agency directly.

Section 1021.540 governs voluntary participation in the Section 314(b) program, which permits casinos and other financial institutions to share information with each other for the purpose of identifying and, where appropriate, reporting potential money laundering or terrorist financing activity. Participation in 314(b) requires the casino to file an annual notice with FinCEN. The program provides a safe harbor from privacy law liability for sharing that occurs within the program’s scope. For online casino operators building cross-operator fraud and AML intelligence, 314(b) participation is a material risk-management tool, though it remains elective rather than mandatory.

The Online Casino Compliance Gap: Federal vs. State Obligations

State gaming regulations in New Jersey (under the New Jersey Division of Gaming Enforcement), Pennsylvania (under the Pennsylvania Gaming Control Board), and Michigan (under the Michigan Gaming Control Board) each impose their own AML program requirements, transaction monitoring standards, and patron identification protocols. These state-level requirements run in parallel with, not in substitution for, 31 CFR Part 1021. The stricter obligation governs in any area of overlap.

Where the regulatory gap is most acute for online casinos is in the Title 31 examination program. The IRS’s Small Business and Self-Employed Division conducts examinations of casino BSA compliance, a function largely invisible to compliance teams that focus exclusively on state gaming authority oversight. An IRS Title 31 examination can result in civil monetary penalties, referrals for criminal prosecution, and reputational consequences entirely separate from any state enforcement action. Online casinos with strong state compliance records have been caught off-guard by federal Title 31 examinations precisely because their compliance infrastructure was built for the state examiner, not for FinCEN. Operators expanding into multiple regulated markets, whether additional US states or international jurisdictions such as Ontario, face an analogous challenge: each licensing layer adds obligations that do not displace the federal baseline, as explored in detail in our analysis of AGCO compliance lessons for new market entrants.

Nevada’s enforcement record in 2025 illustrates how state and federal AML obligations converge in practice. The Nevada Gaming Commission approved a $10.5 million fine against Resorts World Las Vegas for AML deficiencies connected to illegal bookmaker relationships, and a $5.5 million settlement with Wynn Las Vegas for related failures involving unlicensed money transmitting businesses. While outside counsel for Wynn characterized the Wynn settlement as distinct from a BSA case, structured under Title 18 Section 1960 rather than Title 31, the Nevada Gaming Control Board’s complaint identified a six-count pattern of AML failures directly implicating SAR obligations and the failure to identify suspicious activity by independent agents, according to published accounts of the NGC hearing proceedings. These cases demonstrate that federal BSA exposure and state licensing jeopardy are not separate risks, they arise from the same underlying compliance failures.

What Does a Compliant Online Casino AML Program Actually Require?

The four-pillar AML program under § 1021.210 must be operationalized for the digital environment. Internal controls for an online casino must address patron onboarding, including identity verification at account opening consistent with Customer Identification Program requirements under the USA PATRIOT Act, ongoing transaction monitoring calibrated to online gaming typologies, payment method risk-rating, bonus and promotional activity monitoring, and escalation procedures for high-risk accounts. The controls must be documented in writing and must reflect the casino’s specific product mix and customer base, not a generic policy template.

The compliance officer designation must be real rather than nominal. The designated officer must have direct access to transaction data, patron records, and the AML program documentation, and must have the authority to file SARs independently of business-line management. In the online environment, where volume makes individual transaction review impractical, the compliance officer’s function includes oversight of automated monitoring systems, quality assurance on alerts, and sign-off on disposition of escalated cases.

Employee training in an online casino context requires particular attention to the technology teams who build and maintain transaction monitoring systems. Software engineers and data analysts who configure alert rules are making compliance judgments about which patterns will and will not generate SAR reviews. They require training on BSA obligations at least as much as customer-facing staff do. Training records covering content, dates, attendees, and testing results must be maintained under the Part 1021 recordkeeping requirements.

Independent testing of the AML program must be conducted by qualified personnel not involved in the program’s day-to-day operations. For online casinos, this means testing that covers alert-rule calibration and coverage, SAR filing timeliness and completeness, CTR accuracy, recordkeeping integrity, 314(a) response procedures, and the completeness of patron identification records. The test frequency required by § 1021.210 is not explicitly specified in the regulation, but FinCEN examination guidance and industry consensus both support at minimum an annual cycle, with additional targeted testing following material system or program changes.

Penalties and Enforcement Exposure

Civil penalties for BSA violations are substantial and structured to compel compliance rather than merely punish past failures. Under 31 U.S.C. § 5321, the civil penalty for a willful violation of CTR or SAR filing requirements can reach the greater of $100,000 or the amount of the transaction, up to $100,000 per violation. Pattern-of-violations cases can produce penalties in the tens of millions of dollars. The regulatory restrictions available to FinCEN, including the equivalent of charter restrictions applicable to banking institutions, can result in limitations on operations or, in extreme cases, deregistration.

Criminal penalties under 31 U.S.C. § 5322 for willful violations can reach five years’ imprisonment per count, or ten years where the violation is part of a pattern of illegal activity involving more than $100,000 in a 12-month period. Individual compliance officers and senior executives face personal criminal exposure, not merely the institutional entity. The 2022 prosecution of BitMEX co-founder Arthur Hayes, sentenced to six months home detention, two years probation, and a $10 million fine for BSA violations, illustrates that executive-level criminal exposure under the BSA is not theoretical.

Structuring prosecutions carry their own distinct exposure. A casino operator or employee who facilitates patron structuring of cash transactions to avoid CTR filing, even if the underlying funds are entirely clean, commits a federal offense under 31 U.S.C. § 5324. The statute does not require proof that the structured funds had criminal origins.

Key Resources

FinCEN, Bank Secrecy Act Statutes and Regulations: fincen.gov/resources/statutes-and-regulations/bank-secrecy-act

31 U.S. Code § 5312, Definitions and Application: The statutory source for casino coverage as a financial institution under the BSA, accessible via the Office of the Law Revision Counsel at uscode.house.gov.

31 CFR Part 1021, Rules for Casinos and Card Clubs: The complete casino-specific implementing regulation, available via the Electronic Code of Federal Regulations at ecfr.gov.

USA PATRIOT Act Title III: The source for the four-pillar AML program requirements, as codified in amendments to the BSA, documented on the FinCEN statutory resources page.

Compliance teams building or auditing a Title 31 program for an online casino should engage qualified legal counsel with both gaming regulatory and federal BSA enforcement experience. The intersection of state gaming licensing requirements and federal FinCEN obligations requires dual-track expertise that not all gaming compliance practices maintain. For operators active in regulated markets outside the United States, the BSA framework and its reporting obligations differ fundamentally from the AML/CFT regimes applicable in those jurisdictions, and cross-border compliance mapping is essential before assuming that a program designed for one market satisfies the other. Review FinCEN’s examination guidance documents at fincen.gov to establish a compliance baseline tailored to your operator model and regulatory footprint.