The need to perform customer due diligence (or CDD) to verify identification is not new, and an absolute must for regulated industries such as gambling.
Primarily designed to ensure anti-money laundering (AML) checks are performed, the requirements now go much further than basic screening practices. This is to ensure that checks such as PEPs (politically exposed persons) and SIPs (special interest persons) are covered, and evidenced, as part of an enhanced review.
This clearly provides additional challenges for the gambling sector in particular for identifying, managing and processing accounts relating to a self-exclusion process and can result in significant complexity and scale.
What’s driving the complexity for compliance?
The UK gambling industry is being set tighter and stricter deadlines by the UK Gambling Commission to protect consumers, with an ongoing strategy to make online gambling a safe and comfortable environment for all. The window for performing processes such as self-exclusion is getting smaller and smaller.
Strengthening initiatives include; improved online age and identity verification, the banning of credit cards, enhanced rules and guidance on identifying and interacting with customers who may be at risk of harm.
All of this combined with the regulator demanding that gambling companies raise standards in the areas of VIP practices, advertising technology, game design and online stake limits creates a complex environment for self-exclusion.
The commission is particularly focussing on the below areas for improvement, and self-exclusion we can see is a major emphasis:
- Preventing underage gambling with policies to prevent and monitor effectiveness.
- Self-exclusion options for those who would like to take steps to stop gambling.
- The importance of interacting with customers and focusing on measures to identify and help those at-risk of harm to help prevent becoming problem gamblers.
You can find more details on these areas here.
Where the compliance gaps are likely to occur:
Organisations across many sectors, and especially gambling companies, have developed robust processes and controls in order to perform and evidence the diligence work carried out in relation to customer verification.
However, one fundamental challenge that appears time and again is gaining the knowledge of, and identifying which, accounts require checking and monitoring.
This challenge largely occurs because online customers can be both creative and determined, creating duplicate accounts to take advantage of online offers, or in an attempt to circumnavigate controls.
The commission is well aware of this and has a clear expectation that gambling companies will do their utmost to address and mitigate the impacts of this workaround.
How you can remove the duplicate account complexity when managing verification processes:
To help companies rise to meet this challenge head on, our automation team created a robot that seeks out potential duplicate accounts based on a logical sequence of checks to help strengthen the CDD toolkit.
Let’s illustrate this with a challenge and the solution.
Suppose a customer (let’s call him Eric) created an online account with the following details:
Eric Twinge of 29 Acacia Road, Anytown, BN1 1DY, born 16 February 1980, email address of email@example.com, and a mobile phone number 0310 8315486.
Eric then moves to a new house a year later and wants to update his details.
However, he’s forgotten his login credentials, and really wants to get online as soon as possible, so he creates a new (duplicate) account for his ease.
Because he had already created an account, he entered some slightly different information changing his email address to firstname.lastname@example.org and his phone number to 0789 1982007.
Never underestimate the creativity of people!
Eric now has two separate accounts, which may not be linked automatically by the online platform, particularly if the unique identifier is the email address and/or telephone number.
If Eric subsequently requests to self-exclude his latest account, the gambling company would ideally need to identify all accounts that Eric may have created, in order to compete his request.
This is obviously a very simple example in isolation, in reality scenarios are much more complex and plentiful, and therefore more challenging for any service provider to manage effectively.
So, what can be done to ensure compliance, and to keep Eric safe?
One solution is to try and solve manually, by reviewing as many accounts as possible to spot connections and/or related data points (such as common postcodes for example), but this can require a lot of resources to achieve within the timescales required by regulations.
Robotic Process Automation (RPA) offers the ability to automate manual processes, and in far shorter time, can complete the review tasks across hundreds, thousands or millions of data points. For example, by programming a robot to search customer records to identify and “match” multiple key data points:
- Each match results in either a full or partial match of the target data points determined using algorithms (for example, flagging that Eric’s creative use of banana 1 and banana 2 could possibly be the same person)
- Each full and partial data match is assigned a weighting score
- The cumulative result is an overall score per customer based on those matches and that overall score equates to a confidence level of a duplicate account match
- The final outcome is that a customer account will be considered either a duplicate match, no-match, or partial match for further review
The RPA can be programmed to match any number of data points in theory, but in order to achieve a higher confidence rating the laws of diminishing returns will take effect at some stage.
Reducing false positives and negatives quickly: