IN-DEPTH 13 March 2018
Frictionless and secure: Payments in the era of Big Data
By Gambling Insider
Gambling Insider sits down with three payments providers to discuss the thorny issues of privacy, accessibility and security in a highly regulated environment
Shane Mortimer, Business Development Manager, ECommPay
Samuel Barrett, Director of Gaming, Trustly
Jose Peral, Chief Operating Officer at Easy Payment Gateway
How will the introduction of GDPR affect the relationship between payments providers and operators?
SM: The implementation of GDPR should not affect the relationship between payment service providers and gambling/betting operators. However, a more interesting topic for payment service providers to consider is the potential collision course between the revised Payment Services Directive (PSD2) and GDPR. PSD2 promotes data dissemination (within a stringent data protection framework) to encourage the development of new technologies, whereas GDPR is opposed to personal data being made available, regardless of channel. As neither European initiative makes allowance for the other, it is here that we see potential disharmony, with PSD2 permitting payment service providers to gain access to the consumer payment data GDPR seeks to protect.
SB: Today’s payment service providers and gaming operators are already adapting to a landscape in which processing of personal data needs to be carried out securely. So the implementation will, on a higher level, not dramatically change the relationship between a gaming operator and a payment service provider. However, in our experience, GDPR has brought greater awareness to the issue of processing of personal data, facilitating a dialogue between the two parties. In that way, GDPR ensures a better mutual understanding of the boundaries surrounding personal data in relation to the specific business relationship and the respective parties’ rights and obligations.
JP: This will affect all operators, but particularly those who use third parties for payment processing. In the past, operators weren’t responsible for the data gathered and processed on their behalf, but now they will be. It is going to mean sharing information on internal processes and procedures to ensure everyone is compliant.
Operators and payment processors are also going to have to be more explicit when it comes to notifying players of where their data goes, and who is responsible for storing and processing it. GDPR will also give consumers greater access to their data, so operators and payment processors will have to ensure it is available for download where possible and without undue delay. It is important that operators and suppliers get this right, as those that don’t can face fines of up to €20m, or 4% of annual global turnover.
Have you already taken any special compliance measures ahead of GDPR?
SB: GDPR will require compliance measures to be taken across the entire organisation, affecting more than just the relationship between the gaming operator and the payment service provider. At Trustly, we’ve launched a company-wide GDPR project to identify the areas where measures need to be taken in order to be GDPR compliant, as well as to identify areas where Trustly is already compliant.
JP: We have taken all the necessary steps to ensure we fully understand GDPR and what it means for our business, products and services, and how it impacts the partners we work with. That said, Easy Payment Gateway is dynamic and configurable, and 100% based in the cloud. As such, it is quick and easy for us to adapt to, and deploy, any changes required following the introduction of GDPR.
Is the legislation fit for purpose when it comes to the gaming industry?
SM: GDPR seeks to redress the balance, returning this commodity – as data has become a commodity in ‘The Information Age’ - into the hands of the consumers. Views are entirely subjective as to whether this is good or bad, but to determine if the new legislation is fit for the gambling industry is, perhaps, also subjective. Fully licensed operators already comply with DPA laws, so should be in a strong position to make a seamless transition. It is in the finer details, such as the “right to be forgotten” provision, amongst other such pro-consumer laws, that the gambling industry will need to become more stringent. The potential sanctions for transgression will be severe, but I truly believe that the industry is well-positioned to mitigate these issues.
SB: Privacy legislation is an important aspect of consumer rights and at Trustly we believe that legislation targeting consumer rights on a general level are appropriate. However, there are specific novel concepts of the GDPR that we believe many industries, not only the payment services and gaming industry, are experiencing challenges with. One such concept is the consumer’s right to data portability, where we feel that the concept is aimed certain industries, rather than all industries that have to comply with GDPR. So in that way, GDPR may not be fit for purpose.
JP: Online gambling is an internet business, and is no different to other digital industries in that operators and suppliers accumulate vast amounts of data and information without really knowing what happens to it. The introduction of GDPR will make us all sit up and pay attention, and in doing so it will better protect businesses and, most importantly, consumers/players.
How can payments providers support operators in identifying potential problem gamblers?
SM: European regulated gambling operators must adhere to stringent policies, directives, and initiatives to tackle problem gambling. Furthermore, they dedicate a certain portion of their own revenues to fund the identification of and rehabilitation for customers with potential problems. Payment service providers, ECommPay believes, have a responsibility to support operators in these activities. Beyond our capabilities to block any transactions coming from an account flagged as belonging to a problem gambler, we have the functionality to detect suspicious transactions and fraudulent users, so we see no reason why these metrics cannot be translated to identify problem gamblers.
SB: Payment service providers can assist gaming operators in monitoring individuals who may want to limit their gaming exposure by, for example, restricting themselves from playing at a certain website. With Trustly’s technology, we can reliably help gaming operators identify an individual who wants to make a deposit to a gaming account and monitor individuals who are considered problem gamblers in other ways.
JP: We already work very closely with our partners to help them in this regard. We provide them with powerful tools that they can offer to their players to limit deposit frequency and amount. We can also do things like blocking IP addresses so payments can’t be processed, as well as flagging customers known to have gambling issues, again, declining their transactions. Of course, it is up to each operator whether they chose to make use of the tools we give them.
Will the ABB Code For Responsible Gambling and Player Protection be hindered by the introduction of GDPR?
JP: I think they are mutually beneficial and will work hand in hand to better protect players. Online gambling operators want their players to be happy and healthy, and introducing rules, regulations and protocols that help achieve this can only be considered a good thing. Sure, industry bodies and regulators could work more closely together to ensure harmonisation between the frameworks they develop, but generally there is cohesion and players are more protected now than ever.
How will AML4 affect the ability of payments companies to provide a frictionless and speedy service?
SB: The highlighted focus on the risk-based approach lets companies better focus their resources on high-risk areas. The introduction of a central register with ownership information is a big plus. However, it will take some time before the register is populated and fully functional. There is still heavy reliance on manual checks and processes, which creates inefficiencies and drives costs. The payments companies that can provide the information for any given gaming operator to fulfil their KYC need has a huge advantage. The ones that will win are those that make the need for any other third party to collect personal data redundant since the payment and the KYC process are so intimately connected.
JP: The user experience has not been impacted at all, but it has meant a serious increase in work for compliance teams. That said, it is important that the online gambling industry meets such high requirements when it comes to anti-money laundering, and the increase in work is worth the effort. We are a vice industry at the end of the day, but if we can prove we are compliant with gold standards then we can hold our heads high safe in the knowledge we are doing all we can when it comes to honesty and transparency.
Implementing new regulations may require new technology and resources. How will it affect the cost of service provision?
JP: We already have these technologies in place. We have connected services like GBG, Iovation, Call Credit and Kount. We are very aware that operators now require more help when it comes to AML and fraud, and our war chest of technologies and solutions that has been assembled to ensure compliance with these standards is as hassle-free as possible. These services do incur a cost, but that is all part of being a licensed and regulated gambling operator.
In your opinion, will this risk-focused approach (AML4) prevent future illicit activities?
SB: While it’s certainly a step in the right direction, there are no guarantees it will prevent illicit activities because criminals are always becoming more creative and innovative. Legislature will always need to be amended to keep up with their shrewd tactics, though it’s hard because criminals can usually move faster.
JP: It will make online gambling operators more transparent, and highlight any potential shortcomings or lapses in security. Taking a risk-based approach means that operators can focus on the areas that affect them and their business, and ensure they strengthen the protections they have in place instead of having to tick boxes for things that don’t impact them.
How are payments companies using personalisation and geolocation technology to help merchants drive sales and collect spending data?
SM: The payment page can be optimised using personalisation and geolocation technologies, which has a direct effect on conversion and retention rates. For example, by detecting the IP address of a prospective customer, the merchant’s payment page can immediately re-configure to offer the most relevant regional payment methods. In much the same way, the payment page is adapted to provide an omnichannel user experience. With consumers increasingly relying on mobile phones to place bets or switching between tablets and laptops to access merchant websites, payment service providers must facilitate the same seamless payment process across each possible device. The services offered by payment companies increase conversion by providing an intuitive, user friendly customer journey for the end-user.
JP: Online gambling operators understand that data is key, and it is certainly the case when it comes to payments. We are able to educate them on what payment methods are most popular in what markets, and how they can tweak their payment offering and tailor it to each. By offering the right payment products in the right markets, operators are able to better engage players and drive acquisition and retention.
Could you speculate about the future of cryptocurrencies in the gaming industry?
SM: According to many experts, the long-held belief that online casinos will entirely displace their land-based counterparts in inaccurate. While online casinos are appealing in their accessibility and convenience, offline casinos offer an irreplaceable experience. ECommPay foresees a merger between the two, with cryptocurrencies playing a key role in the payment possibilities available both online and offline.
JP: They have a place in the gambling industry, that’s for sure. Our sector is no different to others, and cryptocurrencies are gaining traction in markets and industries all over the world. We already have several merchants processing cryptocurrencies, and expect more to come online in the coming months and years. It’s still early days for how cryptocurrencies will be managed and regulated, but I think those hurdles will be overcome very quickly and before long we will all be transacting in bitcoin or Ethereum for example.
How can payment companies support player verification for new sign-ups?
SM: Because verification requires more comprehensive information about the prospective player, card details and AVS technology could be used as an additional layer of authentication. Additionally, payment service providers offer risk management solutions, which could be adapted to meet the requirements of player verification procedures. ECommPay’s proprietary FraudStop system validates user credentials using various filters and criteria interdependently, scoring transactions by their likelihood to be fraudulent. The same technology could be re-configured to verify new players on gaming websites.
SB: With all of the consumer data that payment companies can collect, they’re now looking at how they can simplify the sign-up process for players. At Trustly, we’ve developed a ground-breaking product called Pay & Play that eliminates the burdensome player verification step. Simply by making a deposit from their bank account, players can simultaneously register an account and get playing right away, rather than filling out lengthy forms where they are likely to drop out. We’re seeing significant interest from companies that want to make it an integral part of their business model.
JP: We can do this with third-party services that we have connected to our platform, as well as our rules engine. That said, most operators check players when they request a pay-out, not when they make a deposit.