New Jersey DGE AML Requirements: What Atlantic City and Online Casino Licensees Must Meet
NJ casino licensees face a dual AML stack: federal BSA under 31 CFR Part 1021 and DGE internal controls under N.J.A.C. 13:69O. Here is what each layer demands.
New Jersey casino licensees operate under a compliance architecture that combines federal Bank Secrecy Act (BSA) obligations enforced by the Financial Crimes Enforcement Network (FinCEN) with state-level internal controls requirements administered by the New Jersey Division of Gaming Enforcement (DGE). The two layers are not alternatives, they are cumulative, and a deficiency in either can produce concurrent federal and state enforcement exposure. Understanding where the federal floor sits, and where DGE requirements extend beyond it, is the baseline competency for any compliance officer operating in this jurisdiction.
The Dual Compliance Architecture
New Jersey casino licensees are classified as “financial institutions” under the BSA, which means the federal AML obligations codified in 31 CFR Part 1021 apply directly. FinCEN’s rules for casinos and card clubs set the minimum program, reporting, and recordkeeping requirements. The DGE then operates on top of that federal floor through N.J.A.C. Title 13, which covers Atlantic City casino operations, and through N.J.A.C. Chapter 69O, which governs internet and mobile gaming.
N.J.A.C. 13:69O-1.4(p) states explicitly that a casino licensee offering internet gaming “shall comply with all Federal requirements including, but not limited to, suspicious activity reporting and W2-G reporting.” This provision confirms that compliance with 31 CFR Part 1021 is a state regulatory obligation in New Jersey, not merely a federal one. A breach of FinCEN requirements is simultaneously a breach of DGE-approved internal controls, exposing the licensee to discipline from two separate authorities.
Key Obligation: Under N.J.A.C. 13:69O-1.3(j), a casino licensee must file with the Division internal controls for all aspects of internet and mobile gaming operations prior to implementation and any time a change is made thereafter. Those internal controls must include detailed procedures for system security, operations, accounting, and reporting. Any amendment to AML procedures therefore requires a new Division filing before deployment.
What Does the Federal BSA Require? The 31 CFR Part 1021 Floor
31 CFR Part 1021, maintained by FinCEN and current as of May 2026, sets out the complete federal AML framework for casinos. Subpart B covers AML program requirements. Subpart C covers currency transaction reports and suspicious activity reports. Subpart D covers recordkeeping obligations. Every NJ casino licensee must have a written program addressing all five required program elements before accepting a single wager.
The Written AML Compliance Program
Under 31 CFR § 1021.210, each casino must develop and implement a written program reasonably designed to assure and monitor BSA compliance. The program must provide for at minimum five elements. A system of internal controls must be established to assure ongoing compliance. Independent testing, internal or external, must be conducted, with scope and frequency commensurate with the money laundering and terrorist financing risks posed by the casino’s products and services. Personnel must be trained in the identification of unusual or suspicious transactions. A designated individual or individuals must be responsible for day-to-day compliance. Procedures must exist to use all available information to identify persons required to be identified, detect transactions or patterns that must be reported, and determine whether any recordkeeping exception under § 1010.970 applies.
The independence testing requirement at § 1021.210(b)(2)(ii) is a common audit finding. The test must be genuinely independent of the AML function it tests. Licensees that assign AML compliance staff to audit their own controls, or use the same third party that designed the program, will not meet this standard under a FinCEN examination.
Currency Transaction Reports: The $10,000 Threshold and the Aggregation Rule
Under 31 CFR § 1021.311, a casino must file a Currency Transaction Report (CTR) for each transaction in currency involving cash in or cash out exceeding $10,000. The regulation enumerates what counts as “cash in” and “cash out” exhaustively. Cash-in transactions include purchases of chips, tokens, and other gaming instruments, front money deposits, safekeeping deposits, payments on markers and counter checks, bets of currency, currency received for wire transmittal, purchases of a casino’s check, and bills inserted into electronic gaming devices. Cash-out transactions include redemptions of chips and tokens, front money and safekeeping withdrawals, advances on credit, payments on bets, wire transfer payments to customers, and cashing of checks or negotiable instruments.
The aggregation rule under § 1021.313 is operationally demanding. Multiple currency transactions must be treated as a single transaction if the casino has knowledge they are by or on behalf of any person and result in cash in or cash out totaling more than $10,000 during any gaming day. The casino is deemed to have that knowledge if any sole proprietor, partner, officer, director, or employee acting within the scope of employment has knowledge that such multiple currency transactions have occurred, including knowledge derived from examining books, records, logs, or information retained on magnetic disk, tape, or other computer-accessible media. Floor supervisors and cage staff must therefore have access to, and actively consult, transaction logs throughout each gaming day rather than treating the $10,000 threshold as applying only to single discrete transactions.
Structuring, which means breaking up a transaction to avoid the reporting threshold, is explicitly prohibited under § 1021.314. A casino that identifies structuring indicators must document them and assess whether a SAR filing is triggered, even if no single transaction reached the CTR threshold.
Suspicious Activity Reports: The $5,000 Threshold and Filing Mechanics
When Must a Casino File?
Under 31 CFR § 1021.320, a casino must file a SAR for any transaction conducted or attempted by, at, or through the casino that involves or aggregates at least $5,000 in funds or other assets, where the casino knows, suspects, or has reason to suspect that the transaction meets one or more defined indicators. The first indicator is involvement of funds derived from illegal activity or intended to disguise such funds. The second is design through structuring or other means to evade BSA requirements. The third is the absence of any lawful purpose or any unusual nature for which no reasonable explanation exists after examination. The fourth is use of the casino to facilitate criminal activity.
“In situations involving violations that require immediate attention, such as ongoing money laundering schemes, the casino shall immediately notify by telephone an appropriate law enforcement authority in addition to filing timely a SAR.”, 31 CFR § 1021.320(b)
The filing deadline is 30 calendar days from the date of initial detection of facts that may constitute a basis for filing. If no suspect has been identified at the time of initial detection, the casino may delay for an additional 30 days to identify a suspect, but in no case may reporting be delayed more than 60 calendar days after the date of initial detection. The 60-day outer limit is hard, with no further extension available.
SAR Confidentiality and the Tipping-Off Prohibition
Under § 1021.320(e)(1)(i), no casino, and no director, officer, employee, or agent of any casino, may disclose a SAR or any information that would reveal the existence of a SAR. When subpoenaed or otherwise requested to disclose a SAR, the casino must decline, cite § 1021.320(e) and 31 U.S.C. § 5318(g)(2)(A)(i), and notify FinCEN of the request and the response. The tipping-off prohibition is structural: it applies even when no person involved in the reported transaction is aware of the filing. Internal sharing within the corporate organizational structure is permitted under § 1021.320(e)(1)(ii)(B) only for purposes consistent with Title II of the BSA as determined by FinCEN regulation or guidance.
SAR records, including the original or business-record equivalent of all supporting documentation, must be retained for five years from the date of filing. Supporting documentation must be identified as such and maintained by the casino, and it is deemed filed with FinCEN.
Recordkeeping Obligations Under 31 CFR § 1021.410
For each deposit of funds, account opened, or line of credit extended, a casino must at the time of the transaction secure and maintain a record of the patron’s name, permanent address, and social security number. For non-resident aliens, the casino must record the passport number or a description of another government document used to verify identity. If the casino is unable to secure a social security number, it is not in violation provided it made a reasonable effort to obtain it and maintains a list of names and permanent addresses of those persons, available to the Secretary of the Treasury upon request.
The records required extend beyond account-opening data. Under § 1021.410(b), each casino must retain records of each receipt of funds for any person’s account or credit, all international transaction records including wire communications with persons, accounts, or places outside the United States, records prepared or received in the ordinary course of business needed to reconstruct a patron’s deposit or credit account, and records of each exchange of currency for currency, including foreign currency, in excess of $1,000. These records must be retained for five years and be available to authorized examiners.
Source: FinCEN, 31 CFR Part 1021, Rules for Casinos and Card Clubs, as of May 26, 2026 (Subparts B, C, D).
NJ-Specific Requirements for Internet Gaming Licensees
New Jersey authorized internet casino gaming in 2013 with the requirement that all servers be located within Atlantic City casino premises. The DGE regulates internet gaming through N.J.A.C. Chapter 69O, which imposes AML-relevant obligations specific to the online channel that go beyond what 31 CFR Part 1021 addresses directly.
Patron Account KYC at Registration
Before a patron may wager through an internet or mobile gaming account, the casino licensee must complete account registration under N.J.A.C. 13:69O-1.3. The electronic patron file must include at minimum the patron’s legal name, date of birth, entire or last four digits of the Social Security number (if voluntarily provided, or equivalent for a foreign patron such as a passport or taxpayer identification number), account number, address, email address, and telephone number. The licensee must verify that the patron is of the legal age of 21, is not self-excluded, is not on the exclusion list, and is not otherwise prohibited from gaming. The patron’s certification that the registration information is accurate must be recorded.
Under N.J.A.C. 13:69O-1.3(l), a casino licensee must also periodically re-verify a patron’s identification upon reasonable suspicion that the patron’s identification has been compromised. This is not a one-time KYC exercise at account opening. It is an ongoing obligation tied to the casino’s risk monitoring of individual patron accounts, and it means the compliance program must define the triggers and procedures for re-verification in the internal controls filed with the Division.
Immediate Notification to the Division for Detected Money Laundering
Under N.J.A.C. 13:69O-1.2(i), the internet and mobile gaming managers must immediately notify the Division upon detecting any person participating in internet or mobile wagering who is engaging in, attempting to engage in, or who is reasonably suspected of cheating, theft, embezzlement, collusion, money laundering, or any other illegal activities. This obligation to notify the DGE is separate from, and in addition to, the federal SAR filing obligation under 31 CFR § 1021.320. A casino licensee detecting suspected money laundering must therefore initiate two parallel processes: the DGE notification, which is immediate with no grace period, and the FinCEN SAR filing, which is due within 30 days and at the outer limit 60 days if no suspect has been identified.
A casino licensee detecting suspected money laundering must initiate two parallel processes: immediate notification to the DGE under N.J.A.C. 13:69O-1.2(i) and a FinCEN SAR filing under 31 CFR § 1021.320 within the prescribed 30- or 60-day window.
Account Suspension and Prohibited Patron Notifications
Under N.J.A.C. 13:69O-1.4(u), if a patron is prohibited by the permit holder or the internet gaming intermediary from engaging in internet wagering, the casino licensee must notify the Division within 24 hours of the patron’s prohibited status and suspend the internet gaming account. If an account suspended under this provision is reinstated, the licensee must again notify the Division within 24 hours of the reinstatement. This real-time reporting obligation integrates with AML compliance: where a patron is suspended due to suspected financial crime activity, the 24-hour Division notification runs concurrently with the assessment of whether federal SAR requirements are triggered.
Annual Independent Security and Integrity Assessment
Under N.J.A.C. 13:69O-1.4(q), each casino licensee offering internet gaming must perform an annual system integrity and security assessment conducted by an independent professional selected by the licensee and subject to Division approval. The professional’s report must be submitted to the Division annually and must include the scope of review, the name and company affiliation of the assessor, the date, findings, any recommended corrective action, and the casino licensee’s response to the findings and recommended corrective action. AML system controls, including transaction monitoring, patron identification systems, and SAR workflow, fall within the scope of this assessment. Compliance teams should treat the annual assessment as a formal review of AML system adequacy, not merely a technical security exercise.
The DGE Internal Controls Filing Requirement
The internal controls requirement is the most operationally consequential DGE-specific obligation for AML programs. Under N.J.A.C. 13:69O-1.3(j), a licensee must file with the Division internal controls for all aspects of internet and mobile gaming operations prior to implementation, and again any time a change is made thereafter. The controls must include detailed procedures for system security, operations, accounting, and reporting. Under N.J.A.C. 13:69O-1.4(k), the internet gaming system’s method for issuing, modifying, and resetting patron credentials must also be documented in the internal controls.
The practical implication is that AML program revisions, including changes to transaction monitoring thresholds, SAR workflow procedures, patron re-verification triggers, or designated compliance officer responsibilities, require a Division filing before those changes take effect operationally. Licensees cannot simply update internal procedures and implement them, Division review and acceptance is a prerequisite. Compliance teams updating AML programs in response to FinCEN guidance or FATF typologies must build the DGE filing step into their change management timeline.
| Requirement | Source | Threshold / Deadline | Recipient |
|---|---|---|---|
| Currency Transaction Report (CTR) | 31 CFR § 1021.311 | Cash in or out >$10,000 per gaming day | FinCEN |
| Suspicious Activity Report (SAR) | 31 CFR § 1021.320 | ≥$5,000, file within 30 days (max 60) | FinCEN |
| Immediate money laundering notification | N.J.A.C. 13:69O-1.2(i) | Immediately upon detection | DGE |
| Prohibited patron notification | N.J.A.C. 13:69O-1.4(u) | Within 24 hours of prohibition | DGE |
| Internal controls filing (new or amended) | N.J.A.C. 13:69O-1.3(j) | Before implementation | DGE |
| Annual security and integrity assessment | N.J.A.C. 13:69O-1.4(q) | Annually | DGE |
| Patron account recordkeeping | 31 CFR § 1021.410 | At account opening, retain 5 years | Internal / available to examiners |
| SAR record retention | 31 CFR § 1021.320(d) | 5 years from filing date | Internal / available to FinCEN |
What Is a Title 31 Compliance Audit?
In New Jersey, the phrase “Title 31 compliance audit” refers to examinations conducted by FinCEN or, in some cases, by the DGE acting under its state licensing authority, that assess a casino’s adherence to the BSA obligations codified in Title 31 of the United States Code and the implementing regulations in 31 CFR Part 1021. These are distinct from the DGE’s routine regulatory examinations, though findings from a FinCEN audit can and do inform DGE enforcement activity given the explicit cross-reference in N.J.A.C. 13:69O-1.4(p).
A Title 31 audit will typically examine the written AML program for completeness and adequacy, the independence and frequency of internal testing, training records and documented competency assessments, CTR and SAR filing logs for completeness and timeliness, patron identification and recordkeeping files, and evidence that the casino has procedures for identifying and responding to structuring. Examiners will transaction-test against the SAR and CTR logs, looking for unreported transactions that meet filing criteria and for SARs filed outside the mandatory window.
The DGE additionally has authority to conduct its own casino compliance examinations under the New Jersey Casino Control Act. Where a DGE examination reveals AML deficiencies, the licensee faces both state-level sanctions under the Casino Control Act and potential referral to FinCEN for civil money penalty proceedings under 31 U.S.C. § 5321. Compliance officers should confirm current penalty exposure directly against the statute and with qualified legal counsel, as penalty calculations under § 5321 are fact-specific and depend on whether a violation is found to be wilful.
How Do NJ Requirements Compare to Other US Jurisdictions?
All US commercial casino jurisdictions share the same federal 31 CFR Part 1021 floor, as the BSA applies nationally. New Jersey’s distinguishing feature is the DGE’s explicit incorporation of federal compliance into its state regulatory framework through the internal controls filing system. Where many state gaming regulators treat Title 31 compliance as a parallel federal obligation sitting outside their own purview, the DGE’s architecture makes federal AML compliance a condition of the state licence. The DGE-filed internal controls must reflect how the casino implements its BSA program, and changes to that program require advance Division approval.
New Jersey internet gaming also benefits from a mature regulatory model that predates most other US states: NJ licensed online casino play in 2013, giving the DGE over a decade of supervisory experience with the specific AML risks of digital patron accounts, geolocation-based access controls, and cross-channel cash movements between internet accounts and land-based cage operations. Compliance teams new to the New Jersey market, particularly those with experience only in jurisdictions like Ontario (regulated under AGCO’s Registrar’s Standards for Internet Gaming) or Malta, should note that the NJ framework places an unusually heavy emphasis on pre-implementation regulatory approval for AML procedure changes, a requirement that demands longer change management lead times than many operators are accustomed to from other jurisdictions.
Practical Compliance Considerations for AML Officers
AML program gaps most frequently identified in NJ casino examinations centre on three areas. Aggregation failures occur when floor staff and cage staff do not have real-time visibility into a patron’s cumulative transaction total for the gaming day, allowing multi-transaction structuring to go undetected and unreported. Training currency failures occur when annual training programmes are not updated to reflect current FinCEN typologies or DGE guidance, leaving staff unable to identify emerging money laundering methodologies in the gaming environment. Internal controls staleness occurs when a casino’s DGE-filed controls no longer accurately reflect its actual procedures because the written document was not updated when operational changes were made, creating simultaneous BSA and state regulatory exposure.
For internet gaming operations specifically, the periodic re-verification obligation under N.J.A.C. 13:69O-1.3(l) is a design challenge. Compliance programs must define objective triggers for re-verification so that the obligation is applied consistently and documented, rather than left to ad hoc supervisory judgment. Triggers should include account dormancy followed by sudden high-value deposit activity, mismatches between a patron’s registered address and geolocation data, and deposit method changes inconsistent with the patron’s profile.
The prohibition on patron-to-patron fund transfers under N.J.A.C. 13:69O-1.3(g), which states that a casino licensee shall not permit a patron to transfer funds to another patron, directly addresses a well-documented money laundering method in online gaming environments. Any internet gaming system that permits account-to-account transfers must be configured to block this functionality entirely, and that configuration must be documented in the internal controls filed with the Division.
Compliance Note: Operators entering or expanding in the New Jersey internet gaming market should engage qualified legal counsel with New Jersey Casino Control Act expertise to ensure their AML internal controls filing meets current DGE requirements and adequately addresses both the federal 31 CFR Part 1021 program obligations and the state-specific reporting and account management requirements under N.J.A.C. Chapter 69O.
For compliance professionals assessing AML obligations across multiple regulated gaming jurisdictions, the AML and Financial Compliance hub provides comparative context on how FATF standards, FinCEN frameworks, and European AML directives interact across different licensing regimes. Review the hub regularly to stay current on evolving AML standards and compliance best practices in gaming.
Key Resources
31 CFR Part 1021, FinCEN Rules for Casinos and Card Clubs (as of May 26, 2026): The primary federal AML framework governing all US casino licensees. Available via the Electronic Code of Federal Regulations at ecfr.gov.
N.J.A.C. Chapter 69O, Internet and Mobile Gaming Regulations: The DGE’s comprehensive rulebook for internet and mobile casino wagering operations in New Jersey, including account management, internal controls filing requirements, and the explicit cross-reference to federal SAR obligations.
N.J.A.C. Title 13, Chapter 69D, Internal Controls for Casino Licensees: The DGE’s foundational internal controls standard for Atlantic City casino operations, including patron deposit account requirements referenced in Chapter 69O.
Bank Secrecy Act, 31 U.S.C. Chapter 53, Subchapter II: The statutory authority for all casino BSA obligations, including the civil money penalty provisions at 31 U.S.C. § 5321.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.