The need to perform customer due diligence (or CDD) to verify identification is not new, and an absolute must for regulated industries such as gambling.
Primarily designed to ensure anti-money laundering (AML) checks are performed, the requirements now go much further than basic screening practices. This is to ensure that checks such as PEPs (politically exposed persons) and SIPs (special interest persons) are covered, and evidenced, as part of an enhanced review.
This clearly provides additional challenges for the gambling sector in particular for identifying, managing and processing accounts relating to a self-exclusion process and can result in significant complexity and scale.
What’s driving the complexity for compliance?
The UK gambling industry is being set tighter and stricter deadlines by the UK Gambling Commission to protect consumers, with an ongoing strategy to make online gambling a safe and comfortable environment for all. The window for performing processes such as self-exclusion is getting smaller and smaller.
Strengthening initiatives include; improved online age and identity verification, the banning of credit cards, enhanced rules and guidance on identifying and interacting with customers who may be at risk of harm.
All of this combined with the regulator demanding that gambling companies raise standards in the areas of VIP practices, advertising technology, game design and online stake limits creates a complex environment for self-exclusion.
The commission is particularly focussing on the below areas for improvement, and self-exclusion we can see is a major emphasis:
- Preventing underage gambling with policies to prevent and monitor effectiveness.
- Self-exclusion options for those who would like to take steps to stop gambling.
- The importance of interacting with customers and focusing on measures to identify and help those at-risk of harm to help prevent becoming problem gamblers.
You can find more details on these areas here.
Where the compliance gaps are likely to occur:
Organisations across many sectors, and especially gambling companies, have developed robust processes and controls in order to perform and evidence the diligence work carried out in relation to customer verification.
However, one fundamental challenge that appears time and again is gaining the knowledge of, and identifying which, accounts require checking and monitoring.
This challenge largely occurs because online customers can be both creative and determined, creating duplicate accounts to take advantage of online offers, or in an attempt to circumnavigate controls.
The commission is well aware of this and has a clear expectation that gambling companies will do their utmost to address and mitigate the impacts of this workaround.
How you can remove the duplicate account complexity when managing verification processes:
To help companies rise to meet this challenge head on, our automation team created a robot that seeks out potential duplicate accounts based on a logical sequence of checks to help strengthen the CDD toolkit.
Let’s illustrate this with a challenge and the solution.
Suppose a customer (let’s call him Eric) created an online account with the following details:
Eric Twinge of 29 Acacia Road, Anytown, BN1 1DY, born 16 February 1980, email address of firstname.lastname@example.org, and a mobile phone number 0310 8315486.
Eric then moves to a new house a year later and wants to update his details.
However, he’s forgotten his login credentials, and really wants to get online as soon as possible, so he creates a new (duplicate) account for his ease.
Because he had already created an account, he entered some slightly different information changing his email address to email@example.com and his phone number to 0789 1982007.
Never underestimate the creativity of people!
Eric now has two separate accounts, which may not be linked automatically by the online platform, particularly if the unique identifier is the email address and/or telephone number.
If Eric subsequently requests to self-exclude his latest account, the gambling company would ideally need to identify all accounts that Eric may have created, in order to compete his request.
This is obviously a very simple example in isolation, in reality scenarios are much more complex and plentiful, and therefore more challenging for any service provider to manage effectively.
So, what can be done to ensure compliance, and to keep Eric safe?
One solution is to try and solve manually, by reviewing as many accounts as possible to spot connections and/or related data points (such as common postcodes for example), but this can require a lot of resources to achieve within the timescales required by regulations.
Robotic Process Automation (RPA) offers the ability to automate manual processes, and in far shorter time, can complete the review tasks across hundreds, thousands or millions of data points. For example, by programming a robot to search customer records to identify and “match” multiple key data points:
- Each match results in either a full or partial match of the target data points determined using algorithms (for example, flagging that Eric’s creative use of banana 1 and banana 2 could possibly be the same person)
- Each full and partial data match is assigned a weighting score
- The cumulative result is an overall score per customer based on those matches and that overall score equates to a confidence level of a duplicate account match
- The final outcome is that a customer account will be considered either a duplicate match, no-match, or partial match for further review
The RPA can be programmed to match any number of data points in theory, but in order to achieve a higher confidence rating the laws of diminishing returns will take effect at some stage.
Reducing false positives and negatives quickly:
Complex algorithms have been developed in order to improve the accuracy of the results, far more quickly than a person could do so. This means your staff can focus more on helping the customer, as opposed to scanning thousands of data points.
These algorithms look at data points such as:
- keyboard proximity data entry error (e.g. Erix instead of Eric on a qwerty keyboard)
- data point transposition errors (e.g. Eirc instead of Eric or 3/2/80 instead of 2/3/80)
- data substitutions, additions or ommissions (e.g. firstname.lastname@example.org instead of email@example.com)
- logical data variance tolerances (e.g. 16-Feb-1980 instead of 15-Feb-1980)
- extraction of common data points within data fields (e.g. Rose Cottage, 29 Acacia Road instead of 29, Rose Cottage)
More sophisticated results are attainable by incorporating external data references and services to cross-check and validate personal data points.
Transforming due diligence and verification:
Customer Due Diligence processes can be truly transformed by combining RPA technologies to compliment existing systems and services, and ensuring staff are free to help customers enjoy gambling safely and legally.
The RPA can continue to scan and search through high volumes of data in order to identify and action account updates in accordance with regulatory requirements.
Only the true exceptions need to be escalated for human intervention, adding value for customers, employees, companies and regulators alike.
If you haven’t yet considered how RPA and the above approach could augment and optimise the customer verification process for your organisation, consider some of the points above within your specific circumstances and how these might be applied. What other logical arguments or tests would your process need to incorporate? We’d be interested to hear whether you feel this type of solution could work or not and why.