In 2018, the Supreme Court overturned the Professional and Amateur Sports Protection Act of 1992 (PASPA), a law which, until then, had effectively criminalized sports betting in the US — except for in a handful of exempt states. With the law overturned, individual states were allowed to decide whether or not to legalize sports betting within their boundaries.
While online gaming (iGaming) and other forms of internet-based gambling have existed in some form for decades in various jurisdictions, the overturning of PASPA is widely credited with its expansion in the United States.
Still, iGaming remains a highly regulated industry. Online gaming operators must comply with both federal and state laws — many of which outline strict Know Your Customer (KYC) and anti-money laundering (AML) requirements.
Below, we define online gaming, discuss the KYC and AML requirements impacting the industry, and highlight the key challenges associated with compliance.
What is iGaming?
iGaming, also called online gaming, is the act of using the internet to place a bet or wager on the outcome of an event. The term is often used synonymously with online gambling, though different jurisdictions may have different legal definitions for each term.
Online sports betting, poker betting, video game betting (eSports), and casino gaming can all be considered different forms of iGaming.
iGaming can take place via websites or mobile apps — sometimes called online casinos, virtual casinos, online sportsbooks, or virtual sportsbooks. Some of the more popular online gaming apps today include DraftKings, FanDuel, and BetMGM, amongst many others.
KYC, AML, and the iGaming industry
The Bank Secrecy Act of 1970 established the first anti-money laundering laws and regulations in the United States. Though it originally applied to traditional financial institutions such as banks, credit unions, lenders, and insurers, the list of organizations considered “financial institutions” has broadened significantly over time. In 1985, casinos made it onto this list — and, by extension, online gaming operators.
In order to remain compliant with the BSA, online gaming operators must monitor user activity and file various reports when particular activities occur. This includes filing currency transaction reports (CTRs) when a user makes transactions totaling at least $10,000 in a single business day, as well as suspicious activity reports (SARs) when any other activity indicates money laundering or other financial crimes.
Additionally, before allowing users to place bets, online gaming operators must perform customer due diligence (CDD) by verifying the user’s identity — a process known as Know Your Customer (KYC).
KYC requirements for online gaming
In order to comply with various state and federal laws, gambling websites and other online gaming operators must collect certain data to establish a profile and understanding of each of their users.
Verifying the user’s identity
In order to verify a user’s identity, online gaming operators typically collect the user’s name, date of birth, address, and identification number, as well as other information as necessary.
Then, they’ll usually ask the user to take a photo of their government-issued ID, such as a driver’s license or passport. In riskier scenarios, the user may also be asked to take selfies, which will be checked against the ID in order to verify that the ID being used to open the account actually belongs to the person.
During this process, the user’s data can be used to crosscheck various databases and lists to ensure that the individual does not pose the gaming operator a significant amount of risk. This often includes:
Note: Self-exclusion lists are commonly used by individuals who are addicted to gambling. By joining these lists, they make it more difficult for themselves to open online gaming accounts.
Additionally, in many states, certain individuals are barred from participating in online gambling. Individuals employed by a casino or lottery commission, for example, may not be allowed to participate in online casino gambling. Meanwhile, professional athletes and coaches may be barred from participating in online (and in-person) sports betting. Data collected during identity verification can help identify these individuals and prevent them from opening an account.
Verifying the user’s source of funds
In order to ensure that money laundering is not taking place, online gaming operators must verify the user’s source of funds (SoF). This verification can also help the operator identify instances of problem gambling, empowering them to cut off an individual once a certain threshold has been passed.
Source of funds can be verified in different ways. Some common options include income statements or pay stubs. Other options may also include various proofs of wealth, such as:
- Bank statements
- Dividend statements
- Pension/401(k) statements
Source of funds verification is typically carried out during account setup, and then any time the user deposits or withdraws a large sum of money or does anything that may indicate money laundering.
Verifying the user’s location
In addition to verifying a user’s identity and source of funds, online gaming operators must also verify the user’s location — both during initial account setup and any time the user is actively using their services.
Because online gaming is treated differently from state to state and country to country, location verification is required to ensure that the user is physically located within a state in which online gambling is legal. Location verification also has AML implications, as it can help an operator understand whether or not money is coming from a jurisdiction where money laundering is common.
Gaming operators can verify location by collecting digital signals such as the user’s IP address and geolocational data from the user’s device. Likewise, it can be helpful to screen for VPN usage, which may indicate that a user is attempting to access the platform from a location where online gambling may not be legal. Additional documents, such as a utility bill (with the user’s name and address on it), may also be required to establish proof of residence.
Challenges of KYC in the iGaming industry
The primary challenge that the iGaming industry faces in implementing KYC requirements is the same issue all other industries must face: doing so introduces friction to the account creation process. This friction may frustrate some users or cause them to reconsider whether they truly wish to open an account. Therefore, it’s imperative to strike a balance between user experience and KYC/AML compliance.
Additionally, online gaming operators must abide by a patchwork of laws depending on the different jurisdictions in which they operate. This patchwork of state, federal, and international laws and regulations increases the chances that something may go wrong, making it very important to have clear compliance processes in place.
Here at Persona, we understand just how important it is to manage friction. That’s why we’ve designed our verification solution with the end user experience in mind. By using progressive risk segmentation to dynamically adjust friction based on risk signals you observe, your users only have to submit the minimum information required at any one time — whether that be personal data, IDs and supplementary documentation, digital signals, or biometric data. The result is a robust identity verification process that allows you to build a true profile of who your user is, without scaring them away.
Likewise, we’ve designed our identity flows to be flexible and customizable, making it easier for you to adjust by jurisdiction.