I'm performing a Reg GG audit, and the bank's approach to screening new accounts is to determine through inquiry whether or not the commercial customer engages in internet gambling. They verbally ask the question, record the answer on a broader BSA risk assessment, and if the response is yes, the procedures say they'll collect all the proper evidence of the business's legal authority to engage in internet gambling. If evidence can't be supplied, the account is not opened. I'm wondering if it's okay to just ask the questions and not obtain a certification from the customer. If the customer poses more than a minimal risk, don't we have to have one or the other on file, either the certification or the proof that what they're doing is legal? I'm undertanding that only certain entities (like government entities and banks), as well as businesses that do not engage in any internet business, are considered minimal risk. By not getting a certification from any business, aren't we expanding the definition of minimal risk to every business that tells us they don't engage in internet gambling?

In essence, the subject bank would probably say it is obtaining the "certification" verbally; i.e. "We asked and they promised."

Per the interagency examination procedures, your regulator will expect that the conclusion will be supported by documentation provided by the customer, not a verbal Q & A:

2. If the institution cannot determine whether the commercial accountholder poses a minimal risk of engaging in an Internet gambling business, then the institution should obtain the following documentation from the customer:
a. A certification from the customer that it does not engage in an Internet gambling business; or
b. If the customer does engage in an Internet gambling business:
i. Either a copy of the commercial license from a State or tribal authority authorizing the customer to engage in the business or a reasoned legal opinion (as defined in the rule) that demonstrates that the business does not involve restricted transactions; and
ii. A written commitment by the customer to advise the participant of any changes in its legal authority to engage in the Internet gambling business; and
iii. A third-party certification that the customer’s systems for engaging in the Internet gambling business are reasonably designed to ensure that the business will remain within legal limits.

I would not enter the realm of theorizing about minimal risk, but would just tell them the customer, more accurately the appropriate representative of the customer, must sign a certification.

P.S. Incorporating Regulation GG processes into BSA processes increases their importance exponentially. It is not a good decision as you can end up getting criticzed in a BSA examination for failing to do something that is totally unrelated to BSA.

I have banks that do the same thing. Questions are asked and answered and documented and the bank indicates through this process they determine whether or not the business presents minimal risk and foregoes a certfication process. They have passed a number of exams that specifically reviewed Reg GG.

If that will work, that's great. This regulation is worthless and a penny not spent on it is a penny saved.

As an internal auditor I would feel obligated to sit down with operations and point out that examiners could legitmately say that documentation provided by the customer was required.

That has been brought to their attention, but considering there are no specific penalties and likely none would ever be assessed, they choose to save the nickle (considering inflation) until told otherwise. I find it hard to fault them on that.

Thank you both for the valuable input.