Examples of Policies and Procedures

Regulation GG provides some examples of the sorts of policies and procedures institutions should create. The Regulation emphasizes, however, that institutions are free to shape their policies and procedures to match their own situations, including having separate policies and procedures for separate lines of business. Note that the accounts to which these policies and procedures apply include only commercial customer accounts or commercial customer relationships.

The “Due Diligence” Overlay

The Regulation GG examples are provided on a payment system-by-payment system basis. Overlaying those examples, however, is a general concept of “due diligence.” Regulation GG requires that you exercise due diligence in implementing your policies and procedures. We’ll see how that works when we look at the system-by-system examples later. Let’s look first at how Regulation GG describes due diligence.

To exercise due diligence, the participant must complete 1 and 2 below [12 CFR 233.6(b)]:
  1. The participant must judge the risk of restricted transactions presented by the commercial customer’s business and either:
    1. Determine that the commercial customer’s business presents a minimal risk of restricted transactions or
    2. b. Establish that the participant cannot make that determination, in which case the participant can either:
      • Obtain a certification from the commercial customer that it does not engage in an Internet gambling business or
      • Obtain evidence of legal authority to engage in an Internet gambling business and a certification from a third party that the commercial customer’s systems for engaging in the Internet gambling business are reasonably designed to ensure that the commercial customer’s Internet gambling business will remain within the licensed or otherwise lawful limits, including with respect to age and location verification.
  2. The participant must notify commercial account customers that restricted transactions are prohibited from being processed through the account.

Here are some details about the above “due diligence” rules.

First, you can consider certain entities, based only on what they are, to present a minimal risk of restricted transactions under 1.a. above. These include an entity directly supervised by a federal functional regulator, and an agency, department, or division of the federal or a state government. [12 CFR 233.6(b)(4)]

Second, evidence of legal authority, under 1.b. above, means documentation such as a copy of the commercial customer’s license authorizing the Internet gambling business and a written commitment from the customer to notify the participant of any changes in the legal authority of the customer to engage in Internet gambling business.

[12 CFR 233.6(b)(2)(B)(1)]

Third, notification to customers under “2” above can be through the customer account agreement. [12 CFR 233.6(b)(3)]

Payment System Specific Examples

Regulation GG provides examples of policies and procedures specific to each of the five payment systems that it identifies as vulnerable to restricted transactions. The due diligence rules that we’ve just described are incorporated into each of these samples.

Basically, each example requires that the non-exempt participant’s policies and procedures address methods to conduct due diligence under the rules above. Non-exempt participants in a card system have the alternative of establishing a code system that flags potential restricted transactions. The procedures must provide for ongoing maintenance of such a code system.

For example, your policies and procedures might specify that you will require a certification of some sort from any commercial customer who claims to not be in the business of Internet gambling. Your policies and procedures might also specify the sort of legal evidence you will require from a person who claims to be authorized to engage in the Internet gambling business.

The policies and procedures must also include procedures to be followed when the non-exempt participant has actual knowledge that the system has encountered a restricted transaction. These procedures must include policies to be followed with respect to denying services to the commercial customer and closing the commercial customer’s account.

At the end of this chapter, in the Appendix, we have reproduced the entire text of the due diligence overlay and the payment system-specific examples. We encourage you to read the examples that are relevant to your business.