US Casino AML Program: The Six Required Pillars Under 31 CFR 1021.210
Every US casino above $1M in gross gaming revenue must carry a written BSA program. Dissecting all six pillars of 31 CFR 1021.210 and where enforcement gaps occur.
Every casino with gross annual gaming revenue exceeding $1,000,000 is a financial institution under the Bank Secrecy Act. That classification carries a non-negotiable obligation: a written anti-money laundering compliance program that meets every minimum component specified in 31 CFR § 1021.210(b). The Financial Crimes Enforcement Network (FinCEN) enforces these requirements directly and has demonstrated, through a steady stream of civil money penalties, that program deficiencies at any size of property attract federal enforcement regardless of whether a state gaming regulator is also examining the casino.
This article dissects the mandatory program structure under § 1021.210(b), connects each component to its statutory authority in 31 USC § 5318(h)(1), and addresses the practical implementation questions that produce enforcement exposure most frequently.
Who Must Comply: The Gross Annual Gaming Revenue Threshold
The § 1021.210 compliance program requirement applies to casinos, a term defined broadly under 31 CFR Part 1021 to include both traditional casino properties and card clubs. A casino is subject to the full written program requirement once its gross annual gaming revenue exceeds $1,000,000. Casinos at or below that threshold are not subject to the currency transaction report (CTR) obligations under §§ 1010.306, 1021.311, and 1021.313, and accordingly the exception under § 1021.330(a) does not relieve them of all BSA obligations, they remain subject to suspicious activity report (SAR) requirements and general BSA provisions.
The non-gaming areas of a casino hotel or resort, including restaurants, retail, entertainment venues, and hotel operations, are treated as separate trades or businesses under § 1021.330(c). Currency received by those operations in excess of $10,000 triggers separate reporting obligations under 31 USC § 5331 and the associated regulations, independently of the gaming floor’s CTR framework.
Coverage threshold: Casinos with gross annual gaming revenue exceeding $1,000,000 must maintain a written BSA compliance program under 31 CFR § 1021.210(b)(1). The program must be “reasonably designed to assure and monitor compliance” with 31 USC chapter 53, subchapter II and the regulations in 31 CFR Part 1021.
The Statutory Foundation: 31 USC § 5318(h)(1)
Section 1021.210 derives its authority from 31 USC § 5318(h)(1), which requires financial institutions to establish AML programs incorporating, at minimum, the development of internal policies, procedures, and controls, the designation of a compliance officer, an ongoing employee training program, and an independent audit function to test program effectiveness. FinCEN translated these statutory pillars into casino-specific regulatory language through 31 CFR Part 1021, originally published at 75 FR 65812 (October 26, 2010), with subsequent amendments through May 2026. The regulatory text builds on the statutory floor with additional casino-specific requirements that address the unique cash-handling characteristics of gaming operations.
Source: FinCEN, 31 CFR Part 1021, Rules for Casinos and Card Clubs, Subpart B, § 1021.210 (up to date as of May 26, 2026); 31 USC § 5318(h)(1).
What Does the Written Program Requirement Actually Mean?
Section 1021.210(b)(1) requires each casino to “develop and implement a written program reasonably designed to assure and monitor compliance.” Three elements of that phrase carry operational weight. “Written” means the program must exist as a documented instrument, an undocumented practice, however consistently followed, does not satisfy the requirement. “Reasonably designed” gives FinCEN examiners a standard of adequacy against which program gaps are measured, a program that omits a required component or addresses a component only superficially can be found deficient even if the casino has not filed a fraudulent report. “Assure and monitor” establishes that the program must be active and ongoing rather than a static policy document filed away between audits.
A copy of the compliance program must be retained as part of the casino’s records under § 1021.410(a)(10), meaning FinCEN examiners can request and review the written document directly. The program’s written form is not a formality, it is itself a regulatory record subject to the five-year retention requirement that applies to casino records generally.
The Six Minimum Components Under § 1021.210(b)(2)
The regulation specifies that each compliance program must, at a minimum, provide for the following six elements. Each is a distinct, independently enforceable obligation.
A System of Internal Controls to Assure Ongoing Compliance
Section 1021.210(b)(2)(i) requires a system of internal controls. In practice, this means documented policies and procedures covering every BSA-relevant transaction type the casino handles: currency purchases of chips and tokens, front money and safekeeping deposits, marker advances and redemptions, wire transfer processing, check cashing, and the full list of cash-in and cash-out transaction types enumerated at § 1021.311(a) and (b). The internal controls must address how the casino identifies transactions that meet the $10,000 CTR threshold, how it aggregates multiple currency transactions by the same customer within a gaming day pursuant to the aggregation rule at § 1021.313, and how it detects and reports suspicious transactions under § 1021.320.
Internal controls must also encompass the casino’s approach to customer identification. Section 1021.410(a) requires that a casino, when a deposit of funds is made, an account is opened, or a line of credit is extended, secure and maintain a record of the customer’s name, permanent address, and other identifying information. The internal controls pillar must map the procedures by which front-line staff capture and record this information consistently across all relevant transaction points.
Independent Testing for Compliance
Section 1021.210(b)(2)(ii) mandates independent testing. The regulation specifies that “the scope and frequency of the testing shall be commensurate with the money laundering and terrorist financing risks posed by the products and services provided by the casino.” This is a risk-calibrated standard, not a fixed schedule. A large, high-volume casino with a complex product mix, significant cash handling, and a history of SAR activity is expected to test more frequently and more deeply than a small card club with limited transaction volume. The regulation does not specify a minimum testing interval, it places the burden on the casino to justify the scope and frequency it has adopted against its documented risk assessment.
“The scope and frequency of the testing shall be commensurate with the money laundering and terrorist financing risks posed by the products and services provided by the casino.”, 31 CFR § 1021.210(b)(2)(ii)
Testing may be conducted by internal audit or by an external independent party. Regardless of who performs the testing, independence is required: the function must be separate from the operational and compliance staff whose work is being tested. FinCEN enforcement findings frequently identify failures of independence as a contributing factor in program deficiencies, particularly at smaller properties where the same individual may hold compliance and operational responsibilities. At a minimum, the testing function should examine CTR and SAR filing accuracy, the adequacy of customer identification procedures, training records, and whether the compliance program has been updated to reflect changes in the casino’s operations or risk profile.
Training of Casino Personnel
Section 1021.210(b)(2)(iii) requires training of casino personnel “including training in the identification of unusual or suspicious transactions, to the extent that the reporting of such transactions is required by this chapter, by other applicable law or regulation, or by the casino’s own administrative and compliance policies.” The training obligation tracks the casino’s SAR obligation: any employee whose role involves transactions that could constitute suspicious activity must be trained to recognize the indicators that require an internal report and escalation.
The regulation does not specify training frequency. Compliance programs should document initial training for new employees before they handle BSA-relevant transactions, periodic refresher training tied to changes in the regulatory environment or the casino’s risk profile, and training records sufficient to demonstrate to FinCEN examiners that the program was actually delivered and understood. Training records must identify the employees trained, the topics covered, the date of training, and the results of any testing used to measure comprehension. A training program that cannot be demonstrated through records provides little protection in an examination.
A Designated Compliance Individual
Section 1021.210(b)(2)(iv) requires “an individual or individuals to assure day-to-day compliance.” This is the designated compliance function. The regulation’s use of “individual or individuals” allows compliance responsibility to be distributed across more than one person, which is relevant at large casino operations where a single compliance officer cannot practicably oversee every operational area. The casino must be able to identify who bears day-to-day compliance responsibility for each component of the program. Diffuse or unclear compliance ownership creates the same enforcement exposure as no designated individual at all.
The designated compliance individual must have sufficient authority and access to perform the role effectively. In enforcement contexts, FinCEN has found deficiencies where compliance staff lacked the organizational authority to escalate findings to senior management, lacked access to transaction records needed to identify SAR-triggering patterns, or were too operationally junior to influence the casino’s practices. The compliance function must sit at a level in the organization where it can act on findings without being overridden by operational or revenue priorities.
Customer Identification Procedures
Section 1021.210(b)(2)(v) requires “procedures for using all available information” to determine three categories of information. The casino must be able to determine, when required, the name, address, social security number, and other identifying information of a customer, and to verify that information. It must be able to determine the occurrence of any transactions or patterns of transactions required to be reported pursuant to the SAR rule at § 1021.320. It must also be able to determine whether a customer appears in any list of known or suspected terrorists or terrorist organizations.
The CTR reporting threshold under § 1021.311 is transactions in currency exceeding $10,000, with the aggregation rule at § 1021.313 requiring that multiple transactions by or on behalf of the same person be treated as a single transaction when the casino has knowledge they aggregate above $10,000 in a gaming day. For SAR purposes, the threshold drops to $5,000: a transaction or pattern of transactions at or above $5,000 that the casino knows, suspects, or has reason to suspect involves funds derived from illegal activity or is designed to evade BSA requirements must be reported under § 1021.320. The gap between these two thresholds is a persistent source of compliance failure, casinos that calibrate their monitoring systems to the $10,000 CTR threshold systematically underidentify SAR-eligible activity.
| Report Type | Regulatory Citation | Threshold | Filing Deadline |
|---|---|---|---|
| Currency Transaction Report (CTR) | 31 CFR § 1021.311 | Currency in/out exceeding $10,000 per gaming day | 15 calendar days after the transaction date (per FinCEN guidance) |
| Suspicious Activity Report (SAR) | 31 CFR § 1021.320 | $5,000 or more with suspicious indicators | 30 days from initial detection, up to 60 days if no suspect identified |
| Currency and Monetary Instruments Report (CMIR) | 31 CFR § 1010.340 | Transport of more than $10,000 into or out of the US | At time of transport |
SAR confidentiality obligations are absolute. Under § 1021.320(e), no casino and no director, officer, employee, or agent may disclose a SAR or any information that would reveal the existence of a SAR. When served with a subpoena or other request for SAR-related information, the casino must decline to produce the document, cite the prohibition, and notify FinCEN of the request.
Automated Data Processing System Requirements for Larger Casinos
Section 1021.210(b)(2)(vi) imposes an additional obligation on larger casinos, those whose gross annual gaming revenue exceeds the higher revenue threshold set out in the relevant provision of the regulation. These casinos must maintain a system of automated data processing that assists in identifying and monitoring required transactions, including aggregating multiple transactions by the same customer across the gaming day and generating reports used in connection with the currency transaction reporting and suspicious activity monitoring obligations. Compliance teams should confirm the precise revenue threshold directly against the current eCFR text of § 1021.210(b)(2)(vi), as specific dollar figures in this provision were not retrieved verbatim during research for this article.
The automated system requirement recognizes that, at transaction volumes characteristic of a large casino operation, manual monitoring cannot reliably capture all aggregation events, pattern anomalies, or threshold-triggering transactions. The system must be capable of aggregating currency transactions by customer identity across the gaming day in real time, flagging patterns that may indicate structuring or other evasion, and generating the documentation trail that supports both CTR filing and SAR analysis. Section 1021.410(c) further requires that casinos which store required records on computer disk, tape, or other machine-readable media maintain those records in a form that is retrievable in a reasonable period of time and that the casino have sufficient hardware and software in place to retrieve any such record.
Compliance teams at operations subject to this provision should document the automated system’s capabilities, its coverage of all transaction types enumerated at §§ 1021.311(a) and (b), its aggregation logic, its alert parameters, and the process by which system-generated alerts are reviewed and resolved. An automated system that is technically present but whose alerts are routinely ignored or whose aggregation logic is misconfigured provides no protection and may affirmatively evidence program deficiency.
The SAR Filing Framework: Timelines and the Tipping-Off Prohibition
When a casino identifies a suspicious transaction at or above the $5,000 threshold, § 1021.320 requires filing a SAR with FinCEN no later than 30 calendar days from the date of initial detection of facts that may constitute a basis for filing. If no suspect is identified on the date of initial detection, the casino may delay filing for an additional 30 calendar days to identify a suspect, but in no case may reporting be delayed more than 60 calendar days after initial detection. Where the suspicious activity involves an ongoing money laundering scheme or requires immediate law enforcement attention, the casino must notify an appropriate law enforcement authority by telephone in addition to filing the SAR.
Casinos must retain a copy of every SAR filed and the original or business record equivalent of supporting documentation for five years from the date of filing under § 1021.320(d). Supporting documentation must be identified as such and maintained separately. The documentation associated with a SAR is deemed filed with FinCEN and is available to law enforcement, this creates an independent record that FinCEN can review to assess whether the casino’s SAR analysis was adequate at the time of filing.
Enforcement Context: The Lake Elsinore Consent Order
FinCEN assessed a $900,000 civil money penalty against Lake Elsinore Hotel &, Casino in October 2024 for violations of the Bank Secrecy Act (Consent Order 2024-03). According to Sportscasting’s reporting at the time, the action cited lax anti-money laundering controls at the California card club property. The Lake Elsinore action illustrates two recurring enforcement patterns: the penalty fell on a regional property rather than a major resort operator, demonstrating that FinCEN’s examination focus is not concentrated solely on high-volume Strip-style casinos, and the underlying deficiencies in civil money penalty cases typically reflect systemic program failures, inadequate internal controls, insufficient training, or gaps in the independence of the testing function, rather than individual transaction-level errors.
Compliance teams should also be aware that FinCEN shares information with state gaming regulators and federal law enforcement under the information-sharing provisions of 31 CFR Part 1021, Subpart E. A BSA program deficiency identified in a federal examination can trigger concurrent action from a state gaming authority with its own licensing and penalty authority. The layered enforcement environment means that a single program gap can produce multiple simultaneous regulatory proceedings.
What Qualifies as “All Available Information” for Customer Identification?
The phrase “all available information” in § 1021.210(b)(2)(v) is operationally significant. FinCEN guidance makes clear that casinos are expected to use information they hold, including casino account records, player tracking data, cage transaction logs, credit files, and prior currency transaction documentation, when assessing whether a transaction or pattern requires reporting. A casino that siloes its player tracking data from its compliance monitoring function cannot credibly claim it used “all available information” when those data sources would have revealed a SAR-triggering pattern.
For casinos operating player loyalty programs, the account-level transaction history available through those programs is considered available information for BSA purposes. This has practical implications for the integration of compliance monitoring systems with marketing and player management platforms: the compliance function must have access to consolidated customer activity data, not just the cage and pit transaction records that flow directly through the compliance department’s own systems.
Card Clubs: Additional Record-Keeping Obligations
Card clubs face one additional category of records obligation beyond the standard casino requirements. Under § 1021.410(a)(11), card clubs must maintain records of all currency transactions by customers, including currency transaction logs and multiple currency transaction logs, and records of all activity at cages or similar facilities, including cage control logs. These records must be maintained for five years and must be available to FinCEN upon request. The card club record-keeping requirements reflect the higher cash-transaction intensity typical of card room operations and the greater difficulty of reconstructing transaction activity without contemporaneous logs.
Program documentation requirement: A copy of the written compliance program described in § 1021.210(b) must be retained as part of the casino’s records under § 1021.410(a)(10) for five years. FinCEN examiners routinely request this document as the starting point of a BSA examination.
Interaction with State Gaming Regulation and Multi-Jurisdictional Operations
Several states, Nevada, New Jersey, Pennsylvania, and Michigan among them, maintain their own gaming regulatory frameworks with AML components supervised by state gaming control boards. In states where the state regulatory system “substantially meets” the reporting and recordkeeping requirements of 31 CFR Chapter X, the Secretary of the Treasury may exempt casinos in that state from certain federal reporting requirements under § 1010.970(c) and § 1021.330(b). Where such an exemption applies, the casino avoids duplication of currency reporting between state and federal systems.
Operators running multi-state gaming operations, including online gaming platforms authorized in states such as New Jersey, Pennsylvania, and Michigan, must map their BSA compliance program obligations against the state-level licensing requirements in each jurisdiction. State gaming authorities in New Jersey (Division of Gaming Enforcement), Pennsylvania (Pennsylvania Gaming Control Board), and Michigan (Michigan Gaming Control Board) each impose AML program requirements in their licensing conditions that run parallel to, and in some respects extend beyond, the federal floor established by § 1021.210. The federal BSA program is a minimum floor, not a ceiling: state requirements that exceed the federal standard apply in addition to, not instead of, the § 1021.210 obligations.
For operators comparing BSA program requirements with those in international markets, the structural parallels are notable. The UKGC’s Licence Conditions and Codes of Practice Section 2.1 imposes analogous risk assessment, internal controls, and training obligations on casino licensees, while the MGA under the Gaming Act (Cap. 583) requires a comparable documented AML framework with independent audit and designated compliance officer components. The US federal framework differs principally in its currency transaction reporting architecture, the $10,000 CTR system has no direct equivalent in EU-framework jurisdictions, which rely on risk-based due diligence triggers rather than fixed-threshold mandatory reporting.
Program Approval and Ongoing Maintenance
The written program must carry the approval of senior management. This expectation is not explicit in the text of § 1021.210 itself, but it reflects BSA Advisory Group guidance and FinCEN’s examination posture: a compliance program that has not been formally adopted and approved by casino leadership is difficult to defend as “reasonably designed to assure and monitor compliance.” Senior management approval should be documented, dated, and refreshed whenever material changes to the program are made.
The compliance program is a living document. It must be updated when the casino introduces new products or services, changes its transaction processing methods, expands or contracts its customer base, or when FinCEN issues new guidance affecting casino BSA obligations. An annual review at minimum is consistent with examination expectations, and casinos with rapidly changing operations or elevated risk profiles should review program adequacy more frequently. The independent testing function should include an assessment of whether the program has been kept current with regulatory and operational changes.
Compliance teams at US casinos navigating both federal BSA obligations and state gaming authority requirements should retain qualified legal counsel with experience in both financial crimes regulation and gaming law. The interaction between federal and state requirements, the exemption framework under § 1010.970(c), and the enforcement posture of FinCEN and state gaming regulators requires jurisdiction-specific analysis that goes beyond the minimum program requirements set out in § 1021.210.
Key Resources
31 CFR Part 1021, Rules for Casinos and Card Clubs (FinCEN / eCFR, up to date as of May 26, 2026): The primary regulatory text governing casino BSA compliance programs, CTR and SAR filing obligations, and record-keeping requirements. Available at ecfr.gov.
31 USC § 5318, Compliance, exemptions, and summons authority: The statutory authority for the AML program requirement, including § 5318(h)(1) which mandates the four-component minimum program structure for financial institutions.
FinCEN Enforcement Actions: FinCEN’s enforcement history, including casino-specific civil money penalty assessments, is published at fincen.gov. Compliance teams should monitor this page for new enforcement actions, which frequently provide detailed factual findings about the specific program deficiencies FinCEN found actionable. To implement a § 1021.210 compliance program at your casino, begin by conducting a risk assessment of your specific gaming operations, documenting your current internal controls and transaction monitoring practices, and comparing them against the six mandatory components outlined in this article, use the Key Resources section to access the current regulatory text and review recent FinCEN enforcement findings to identify the gaps most frequently cited in penalty actions.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.