Search Icon

Various industries are prime hotspots for money laundering. In real estate, mansions and high-end condos get sold for either way more or way less than they were originally purchased for. In commodities, companies pay business partners in physical goods (rather than cash) that can be bartered or resold. And in gaming, bettors may arrange to drop bets in order to conveniently lose money to people they need to pay off.

To avoid being a part of these nefarious activities, online gaming orgs invest in tight identity verification, anti-money laundering (AML) capabilities, and other defenses. This industry, pre-COVID, was expected to hit almost $100B worldwide by 2024. Growth is enormous, and so is the potential for abuse.

Identity verification in the online gaming space has to be (at least partially) real-time. Players sign up because they want to play right now. But that’s just the first possible phase. Many online casinos allow players to quickly open an account, deposit their ante, and play. But they are only asked to submit documents (license, passport, bank statement, or utility bill) for deeper verification when they want to finally withdraw their first winnings. This way the casinos generate activity and revenue with the least amount of friction.

N.B. The better providers try to watch out for obvious bad actors, underage wannabes, and possible money launderers. To be good citizens, they also monitor for activities that might indicate addicted gamblers.

But like in other industries, these sites sometimes make an unfortunate assumption. They stack up identity vendors and data sources, thinking to spread the love. They equate each vendor with a single data source, and build that multi-vendor waterfall because, as we in the identity market know, not all data sources are as accurate or as fresh as we’d like. How often are they corrected? How often are they updated? “Yeah, that was my correct address, four years ago. But I’ve moved.”

Stale data can mean applicants can get rejected because the address on that license doesn’t match the one on the utility bill. So a consumer might be a good bet, but can still get bounced. This is called a false positive. Identity thieves who troll for old data on the dark web might be able to leverage information that is out of date, and get away with it. And when you stack up multiple point solutions, and they’re all single-sourced, those false positives also stack up, and compound each other.

At Socure, we apply layers of machine learning and artificial intelligence, to avoid false rejections, and also to reject bad actors. We leverage multiple data sources for every element of PII, because a single point of failure, a single inaccurate or stale reference, makes a good look like a bad. By using redundant sources, we drastically increase the likelihood of having that up-to-date, accurate picture of identity.

We also deeply examine the quality of all those individual elements of identity, the most minute characteristics of the data submitted by an applicant to make sure they’re all legit. Then we examine them again as a whole, to make sure they all belong to the same person. Identity thieves and synthetic fraudsters make use of other people’s identities in pieces, to build their own criminal personas. By ensuring the elements all correlate to a single identity, we attest to a solid citizen.

Another aspect of security in online gaming is specific to money laundering. These companies need to watch for individuals with shady backgrounds. But a common issue with searching data sources across the globe is the sheer volume of it. Online access to gaming means bad actors can operate from literally anywhere on the planet, so those searches have to be universal, and this means having to weed through lots and lots of information. My applicant is named Bob, but maybe he did bad stuff as Robert, Robbie, Bobby, Rob. Name variations alone can make this a difficult task, and name is only one of those items. Addresses can be transcribed differently. Identifying elements such as SSN or birth date can be miskeyed by a day or two.

Socure performs searches for KYC as well as global watchlists, to validate good players while keeping an eye out for bad ones. This means applying deeper intelligence, fuzzy matching, and other techniques to zero in on only relevant data. Remember, any law enforcement, AML, or other kind of hit invariably means a manual review of the results, so any results we return have to be useful, not buckets of data that some poor clerk has to sift through and possibly come up with an inaccurate result.

And for a powerful, extra layer of trust, Socure employs it’s identity document verification solution, Predictive DocV. Using a mobile or mobile web app, the applicant scans their physical id (the front and the back where applicable), includes a selfie, and submits. Not only do we perform hundreds of quality checks to ensure a legit, non-tampered document, we also extract the data directly from it to match up with what we already know. We can also put DocV upfront, to begin the validation process and pre-fill the application with that extracted data. The marriage of id and data-driven verification automatically deters a large portion of bad actors, and is a powerful, integrated solution for verifying trusted identities.

Online gamers are the ones taking the chances, and hopefully being responsible while they do it. Meanwhile, the providers can hedge their bets by employing the most powerful identity verification solution on the market.

Posted by

Jeff Scheidel

Jeff Scheidel

Jeff Scheidel is a technologist with 38 years in software, including 26 years in security solution design. He is the author of numerous white papers on security and regulatory compliance, as well as a McGraw-Hill book on identity, access, database, and application protection. Jeff is an expert on compliance requirements across a number of industries, and has presented at a wide variety of security events.