I'm performing a Reg GG audit, and the bank's approach to screening new accounts is to determine through inquiry whether or not the commercial customer engages in internet gambling. They verbally ask the question, record the answer on a broader BSA risk assessment, and if the response is yes, the procedures say they'll collect all the proper evidence of the business's legal authority to engage in internet gambling. If evidence can't be supplied, the account is not opened. I'm wondering if it's okay to just ask the questions and not obtain a certification from the customer. If the customer poses more than a minimal risk, don't we have to have one or the other on file, either the certification or the proof that what they're doing is legal? I'm undertanding that only certain entities (like government entities and banks), as well as businesses that do not engage in any internet business, are considered minimal risk. By not getting a certification from any business, aren't we expanding the definition of minimal risk to every business that tells us they don't engage in internet gambling?
Don't make me say, "I told you so!" Sincerely, your friendly Compliance Officer.