Sebastian Nishimoto, Deputy General Counsel and Privacy Officer at Gateway Casinos & Entertainment Limited, is no stranger to the complexities of regulatory compliance in the Canadian casino industry.
With increased scrutiny, particularly around anti-money laundering (AML) and responsible gaming, Nishimoto pinpoints the critical nature of these areas for Gateway's operations.
"We do have specialized departments dedicated to AML and responsible gaming," he tells Lexpert.
Casino gaming in Canada operates under the legal framework of the Criminal Code, which mandates that such activities must be "conducted and managed" by provincial authorities. This means that in the three provinces where Gateway operates—British Columbia, Alberta, and Ontario—the provincial governments have established Crown corporations to oversee gaming activities. These include the British Columbia Lottery Corporation, Alberta Gaming, Liquor and Cannabis Commission, and Ontario Lottery and Gaming Corporation.
“The Crown bodies then contract with private sector casino operators like Gateway to operate the casinos on their behalf," Nishimoto adds.
And, while these Crown bodies take the lead on implementing new regulatory requirements, particularly those related to AML and responsible gaming, the relationship between the government entities and private operators like Gateway is far from one-sided
"The Crown bodies will consult heavily with private sector operators like Gateway before implementing new regulatory requirements,” explains Nishimoto.
One of the recent examples Nishimoto shares involved enhanced requirements around proving the source of funds for gaming patrons – a significant area of focus in the fight against money laundering.
"Our anti-money laundering department has worked closely with our counterparts at the Crown bodies to ensure an efficient and effective approach," he says. The goal here is to gather the necessary information while at the same time delivering an excellent customer experience.
Nishimoto's role as Deputy General Counsel primarily revolves around supporting these specialized departments in understanding the legal aspects of regulatory requirements. However, his involvement doesn't stop at legal interpretation. He participates in multi-department working groups during the consultation phases of new regulatory initiatives.
“If a gaming regulator were to propose changes to AML or responsible gaming regulations, they'll typically seek input from industry," Nishimoto tells Lexpert. His job involves liaising with various stakeholders at Gateway, including AML, operations, and marketing teams, to assess the impact of these changes on day-to-day operations.
Beyond the internal dynamics, Nishimoto also touches upon the broader industry landscape, particularly how different provinces and even countries approach gaming regulations. While each province in Canada has its own regulatory framework, there is significant "cross-talk" between regulators to ensure some level of uniformity.
"I think there is quite a bit of cross-talk between the regulators in terms of how they actually do things," he adds.
Privacy concerns, particularly regarding the handling of customer data, add another layer of complexity to Gateway's operations. Nishimoto identified three main areas of complexity from a privacy perspective: jurisdictional differences, the hybrid nature of their operations under both private and public sector privacy laws, and the sheer volume and sensitivity of the data they handle.
"When you take a step back and you look at the principles, a lot of them are largely the same," Nishimoto says, referring to the core privacy principles of informing customers, obtaining consent, and safeguarding personal information.
As such, to manage the hybrid nature of their privacy obligations, Gateway categorizes personal information into two broad types: gaming and non-gaming.
“Non-gaming personal information is things like personal information for our employees and customers who are using goods and services outside of gaming," Nishimoto explains. For non-gaming information, Gateway follows standard private sector privacy legislation. However, gaming-related information, which falls under public sector privacy laws, is subject to additional requirements imposed by the Crown bodies.
A particularly challenging aspect of managing gaming-related personal information is the need to differentiate it from non-gaming data. Nishimoto mentions a current initiative where Gateway is undergoing an extensive cataloging exercise with one of their Crown partners.
"We're basically looking at thousands of different types of personal information and figuring out, okay, which of these is non-gaming, which of these is gaming," he says. This exercise aims to streamline their data management practices and ensure compliance with the specific requirements for gaming-related information.
Nishimoto also reflected on the impact of the COVID-19 pandemic, which introduced new privacy considerations related to health and safety measures like proof of vaccination and contact tracing. Implementing these measures on short notice required close collaboration across various departments, including marketing, IT, and operations.
“I often hear in house counsel talk about other departments’ needs, because these requirements don't exist in a vacuum,” he says. “The importance is really on ‘how does this impact our actual operation?’ So that was a particular way of managing that complexity.”
Then there’s the technological aspect of things. The consequences of a breach of data were substantial, not just from a legal perspective, but reputational and operational.
“Technology is obviously a very important means of preventing these types of issues such as breaches,” says Nishimoto. “And I will not pretend to be any kind of expert in that area, but I do work quite closely with our cyber security department – which is continuously implementing new procedures and new protections to try to keep up with the ever growing threat out there from very sophisticated actors.”