<img src="https://secure.hall3hook.com/198388.png" alt="" style="display:none;">
time 4 minute read

Why “Know Your Casino Customer” just makes sense

Online gaming had been growing steadily over the past 10-15 years, but the COVID-19 pandemic threw rocket fuel on this corner of the internet, accelerating player onboarding and usage, and inevitably fraudster activity. The global online gaming market generated over $21 billion in revenue in 2020, translating to a record 21.9% growth Y/Y. Over a billion people globally now game virtually, increasing the odds for illicit activities galore, from insider cheating, poker bots, and bonus and phone top up abuses, to all manner of payment and identity-based fraud.

Just as financial institutions are required to have Know Your Customer (KYC) policies in place during new customer onboarding or in conducting existing customer transactions, so too should “live” and online Casinos enforce identity authentication and KYC processes to prevent gamer account takeover, identity fraud, and synthetic identity fraud. Beyond direct losses and potential non-compliance fines, however, a gaming operator must also keep the shine on perhaps its most valuable possession – its reputation.

It’s no exaggeration to say that every consumer research study conducted over the past few years has documented the growing identity fraud fears of customers across the entire financial spectrum, whether in general banking to specialized markets such as auto finance, home mortgages, and in gaming.

Both live and online gaming markets have experienced an influx of stolen consumer credentials, easily available on the Dark web, with fraudsters accessing and exploiting legitimate customer accounts. Allowing stolen credit card usage or fraudulent payment methods can and does result in major losses for both the customer and casino, and also opens up the risk for money laundering / muling operations. These security failures obviously erode the customer-business relationship, causes extensive reputational damage, and subjects the operator to extensive anti-money laundering (AML) fines and penalties.

Gambling executives worldwide are fully aware of the evolving fraud threat and are actively taking steps to mitigate its potential impacts on business growth, if not to ensure their continued existence. A recent study conducted by New Dimensions of Change Research revealed that their gambling executives respondents are hyper-focused on managing growth and risk within a high fraud landscape, and have undertaken security initiatives to foster consumer trust.

The study revealed that 59% of the surveyed gambling executives actually changed their transaction processes just since the outbreak of COVID-19 in early 2020, increasing their investments into various anti-fraud technology solutions. Further, gaming companies now tie “customer journey” factors to their overall business viability, with 83% of gambling executives asserting that smooth customer transactions are now essential to their survival, rather than just providing differentiation or a competitive edge in the market.

 

Identifying & Mitigating Risks

Whether conducting operations in-person or online, casinos and gaming organizations have robust legal responsibilities to prevent and mitigate the risks posed by fraud. These include but aren’t limited to ensuring that any unique gamer information (personally identifiable information (PII), bank accounts, etc) in your possession is kept secure. In a broader context, operators must also have in place safety protocols, programs, and systems to detect and prevent against breaches that could expose PII.

Machine driven processes that enable forensic-level identity document authentication is a key part of a casino’s onboarding and ongoing transaction procedures. Understanding and documenting exactly who the player is, and their respective legal age, are necessary processes that adhere to local and federal laws, as well as potentially international laws for best practices in terms of compliance.

Hand-in-hand with these procedures, live gaming operators could also employ cloud-based identity checks on-floor, using mobile devices to scan and verify the authenticity of identity documents, as well as conduct real-time database checks on whether gamers are a Politically Exposed Person (PEP), have a suspicious record, or even exist at all.

 

Evolving Rules & Regs & Solutions

Now, all this being said, it is significant to note the new “Federal Non-Documentary policy” that just went into effect October 2021. Per the Financial Crimes Enforcement Network (FINCEN) of the US Treasury Department, the use of non-documentary means in order to ID Casino visitors will now be permitted.

A bit of framing history: since 1985, the “Bank Secretary Act” had defined casinos as de facto financial institutions. As such, gaming facilities, as with banks, must file Currency Transaction Reports (CTRs) on all lone and/or aggregated currency transactions that exceed $10,000 per day. Additionally, if any indication of money laundering or any other related crimes are revealed, casinos are required to file a Suspicious Activity Report (SAR) when for example, they observe a small-time gambler exchanging significant amounts of cash for chips.

Prior to this new regulation, a casino’s staff was required to collect and inspect a gamer’s valid identity document -- such as a driver license or passport -- before opening customer accounts, extending credit, or accepting funds. In certain circumstances, those rigors are no longer required.

With the new policy, “most” casinos can now conduct “database checks” of a customer’s credit or fraud signal history via third-party consumer agencies, financial institutions, and public databases. Per FINCEN, casino staff can now employ Knowledge-based Authentication (KBA) to verify a gamer’s identity, eg. posing questions on “Monthly mortgage payment” or “Last employer” or “Last 2 home addresses”, comparing their answers with the data points shown on the report.

Why is this happening? Given the massive expansion of online gaming, FINCEN believes that third-party service providers and new technologies can offer more options on identity verification methods of an online casino player along with legacy documentary methods.

Key caveats to the implementation of this new policy include:

  • Third-party services must be vetted
  • Any new process always opens up possible malicious manipulation and exploitation (See recent PPP loans)
  • Some US states have stricter gaming laws and requirements concerning the verification. This new federal FINCEN rule “does not displace state law.”

Ultimately, the goal of all live and online gaming establishments is to let their customers go about their business (or gambling pleasure) in the most secure yet expeditious way. Technologies and policies will continue to pivot to respond to known threats as well as scale to those (currently) unknown in the future.

Along with physical identity document authentication procedures, other technologies will come online to augment this fundamental methodology:

  • Aforementioned database checks
  • On-person device analytics that could link device metadata to a gamer’s fraud activity and IP history
  • Other gathered fraud “signals” associated to a gamer’s email, phone, or address

Work with a vendor with a decades long history of thwarting fraud in all forms, and one able to develop and access the tools your gaming organization needs to securely thrive.