Philip Young, creator of digital identification app Luciditi, believes the requirement to provide more personal documentation for further checks via the Government’s looming White Paper only adds to the “accepted risk”.
As the Government’s gambling reform White Paper looks set to introduce more stringent data checks for customers, the founder of an ID-tech start-up offering its services to the industry believes large data breaches could be the next challenge for betting operators with calls for more personal information to be provided for KYC (know your customer) checks.
Plus, in the wake of Entain’s record £17m ($20.6m) fine for its failure to conduct necessary checks on customers, Young also suggests more needs to be done to tighten up customer control to avoid duplicate accounts being created.
How can the gambling industry get a hold on the issue of players creating duplicate accounts that can lead them to depositing large sums of money?
Well, the only way to do this is to confirm the identity of a player in a way that cannot be mimicked or circumvented. This requires the use of a government-issued identity document that most people own, such as a passport, and then for this to be uploaded to the systems that operators use.
Unfortunately, this is not something all customers would feel comfortable with and, with more documentation being added to a system, it adds to the risk of this data being compromised.
Maintaining checks on customers is paramount to the safety of players and also to prevent any illegal activity. What risks do poorly conducted checks or a lack of information on customers pose?
Any operator has access to the technology required to perform thorough “know your customer” (KYC) or anti-money laundering (AML) checks via a number of agencies, and the technology supporting these systems, especially with the use of AI becoming ubiquitous in the AML space, will help significantly. Tying the results back to a “known identity” – a system where only one account can be created per customer – in order to ensure that players cannot open other accounts with the same operator is key.
No organisation should be storing any personal data other than which is essential to conduct their business operations. However, if the regulator says it’s required for compliance, it's only a matter of time before large-scale data breaches occur
The gambling White Paper is set to be released later this year, which will increase demand for affordability checks. This level of detail will require customers to allow operators to see more private information about themselves. Should customers be confident in handing over this information?
The potential for the additional information to be used, stored and retained should be a major worry. Players will be expected to have a high level of trust in the operator's process.
No organisation should be storing any personal data other than which is essential to conduct their business operations. However, if the regulator says it’s required for compliance, it's only a matter of time before large-scale data breaches occur.
Sadly, it is an accepted risk when using online services and isn’t limited to our industry.
Responsible operators need to take the lead on this and ensure that data minimisation, storage techniques and low-retention policies are employed for all customer data. These are major architectural considerations within systems rather than overnight fixes – which in some cases could take months or even years to refactor depending on the complexity, scale and risk involved.
Following the failings at Entain, do you think it would be realistic for an operator to lose their licence the next time a case like this occurs?
There is no point in having regulation unless operators are forced to take a proactive approach to data security and are able to demonstrate good practice when asked.
By now, we should be way beyond making examples of bad practice with headline-grabbing fines. All serious infractions should warrant immediate suspension – reinstated only when there is confidence that satisfactory mitigations are in place.
Repeat offenders, especially where there has been little or no attempt to follow the guidance should have licences revoked. This isn't about taking responsibility away from individuals as the lobbyists say, it's about working within the rules laid out by the Gambling Commission – the same rules all operators are expected to work within.
How can customers’ data be stored in a much more efficient and effective way?
This is the problem. Operators need to consider how their data is stored, particularly when more sensitive information is supplied that, if compromised, could lead to all sorts of issues.
What we have built at Luciditi is a reusable digital platform, which can be used to confirm the identity of an individual to another unknown party. Unlike other systems, the trust is two-way and established in real-time so that you know, before sharing any data, that the party requesting it is genuine. This is a way for customers to have a level of trust without relying on the word of another party.
By also holding information remotely, operators will not be solely responsible for storing customer data and this will help stop people from exploiting the current loopholes in the system, such as creating duplicate accounts and providing false information to companies.
There is no point in having regulation unless operators are forced to take a proactive approach to data security and are able to demonstrate good practice when asked
From your experience, what can the gambling world learn about data protection from other industries?
I have worked in healthcare software for many years where there is a common understanding across the world that patient data is never exchanged, moved, edited, copied or accessed without significant process, auditing and only then with justifiable reason.
This data handling principle is shared amongst everyone from customer support and developers, through to clinicians and ancillary staff – even between different system suppliers. Consequently, everyone is aware of potential exposure and it factors subconsciously in everything they do.
A similar level of “duty of care” should be taken with all sensitive customer data, whether that be identity or financial so that should data become exposed, it is of minimal value and has minimal impact on players.