Article 6 min

Risk-based approach for gaming operators

Risk-based approach for gaming operators

August 13, 2020  

Risk-based approach for gaming operators

From the moment an online guest arrives, the gaming experience should not be left to chance. The gamer wants to onboard quickly and start placing bets, and doesn’t want to be burdened with lengthy forms or cumbersome checks. At the same time, compliance needs to ensure that the player is legally allowed to use the service and doesn’t pose an unwarranted risk. Taking a risk-based approach (RBA), balancing the risk profile of the gamer with appropriate risk controls, provides a framework to satisfy both the gaming public and compliance.

Gaming operators should operationalize systems that understand the different risk profiles they encounter and how to effectively deal with the associated risk at an efficient level.

Gaming industry regulatory requirements

There are multiple jurisdictions that allow online gaming, with a variety of legal and regulatory requirements in place. Having said that, there are commonalities that provide a solid basis of understanding that can propel an RBA forward.

Age verification

In any legal gaming venue, the exclusion of minors is standard; while the age of majority will differ, gaming operators need to ensure that their customers are of legal age. Therefore, online age verification is a fundamental starting point for onboarding gamers. Proof of age can be accomplished using digital identity verification, ID document verification, or a combination of these methods.

Identity verification is the quickest and easiest way to verify a gamer’s age. For example, they could provide their name, date of birth and address via simple form fill and that information can be matched against known data. Often, this process is sufficient to allow the gamer onto the system. When a gamer presents a known profile, the operator can understand that the individual does indeed exist and that their age meets the requirements.

Digital information can be further analyzed against other risk criteria:

  • Has the address been changed recently?
  • Does the IP address of the application match the profile?
  • Does the identity information match the payment information?
  • Does the account contact information match the identity information?
  • Is the identity information on a fraud or watch list?

The simple fact that an individual has a credit card in the name they provided does provide evidence that they are of legal age; they can enter into legal contracts. Identity verification can also provide a variety of additional layers of risk analysis, depending on how workflows are set up.


Another vital consideration is determining where the individual is placing a bet from. Different locales represent different risk factors, to the extent that bets from certain jurisdictions are outright banned.

The U.S., for example, only allows bettors from within that state’s borders, assuming that state has legal gambling. Any betting across state lines would run afoul of federal law and operators would face significant legal consequences. Thus, any operator needs to verify location both at onboarding and on an ongoing basis. The vast majority of international operators will also not accept U.S. customers, to avoid any issues with the U.S. federal government. Similarly, different jurisdictions may have prescriptive rules on where they can accept customers from. Besides these rules, location may also be a risk factor, especially if the country of origin is a known money laundering hotspot.

Identity verification can disclose where the individual comes from but additional measures, such as IP location, are necessary to determine if the player is in an approved location.

Know Your Customer and rules to help prevent money laundering

Another significant compliance concern is whether the money entering the system are proceeds from crime and other money laundering schemes. Therefore, Know Your Customer (KYC) procedures for Anti-Money Laundering (AML) initiatives must be in place.

Generally, KYC for the gaming industry is not required at the onboarding stage, but rather when thresholds are met or suspicious activities occur. Thresholds are set at a transaction limit, or for cumulative totals, where the total amount bet starts to add up. These threshold limits themselves are a good example of a risk-based approach, requiring extra scrutiny when the amount wagered goes above a certain amount.

For example, the UK Gambling Commission stated in 2019 “as a general rule, for remote casinos CDD must be applied on a risk sensitive basis (so the measures should be tailored to the risk attributed to the specific customer), but CDD is mandatory in respect of all customers who trigger the CDD threshold of €2000.”

Often, an additional layer of identity verification is called for to ensure the player is indeed who they say they are. Workflows may trigger an ID document verification request, asking the customer to provide an image of their identity document, along with a selfie. The document can be scanned and checked for accuracy or alterations while the document image is compared to the selfie to see if it matches. Although this step requires more effort from the customer, the additional verification helps ensure that the risk level remains acceptable for those players that are transacting in higher amounts.

The addition of a secondary identity measure thus not only assists in providing better AML/KYC compliance, but is also a smart risk-mitigation strategy. Layering it in at a later date delivers less friction to the consumer, as they needn’t provide this documentation until further in the process, when they are less likely to abandon the operator. Providing notice before actually requiring the second verification also smooths the process along, limiting the number of unnecessary surprises.

Protecting against fraud

Effective risk-mitigation strategies are not only useful for compliance purposes, but also provide powerful techniques to prevent fraud. After all, the obscuring or falsification of identity is a cornerstone of any successful fraudulent activity.

Requiring accurate identity information from the outset of the relationship and adding in layers of identity information to match the risk level is a fundamental lesson of the risk-based approach. As the risk potential rises, so should the measures to detect risk. Carefully considering:

  • The types of bets
  • The frequency of bets
  • The amount wagered
  • The account history
  • The location of the bettor
  • The credit history of the bettor
  • The identity profile
  • Changes in the identity profile

and many other factors can help determine the associated risk of a prospect or customer. Carefully crafting workflows that accurately consider these factors, at the right time, is fundamental to creating a risk-based approach to gaming that works for players, operators and regulators.