Your issue is whether the activity is suspicious, not whether the customer knows or does not know it is illegal. (He knows.)
The water surrounding whether the customer is actually breaking the law is pretty murky for everyone other than the DOJ. (In recently grabbing $34 million in gambling proceeds in consumer accounts DOJ indicates its vision is crystal clear.) However, it should be readily apparent to anyone that it is illegal for the casino or the remitter.
In a recent DOJ indictment of an individual who handled Internet gambling remittances they noted that he had provided false information about the nature of the businesses whose accounts he used to provide other types of payments. Accordingly, they also charged him with bank fraud. I assume manipulation of the card codes would be treated the same way.
If a SAR trigger is pulled, the conservative position is that your "suspect" is the casino or remitter, not the customer. (You customer will get honorable mention in the SAR narrative.) Your communication with the customer might be to the effect that you will not accept his relationship with this company or others in the same business.
Reg GG is not a factor in this answer.
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.