KYC and digital signature in the gaming industry
Identification and verification of identity in the gaming sector are important to comply with Spanish gaming laws and regulations, to avoid money laundering and fraud, and to prevent gambling by minors and persons registered in the General Registry of Gambling Access Interdiction.
On April 20, we addressed these issues, with Damián Marcos (Account Executive at Docuten) and Mathias Vier (Account Executive at Alice Biometrics). We saw how video identification and electronic signature are two solutions that fit the current needs in the gaming sector.
What do we mean by KYC (Know Your Customer)?
KYC stands for “Know Your Customer”. It is a process by which, before establishing a contractual relationship, the service provider needs to verify the identity of its customers, in accordance with current rules and regulations, such as AML, LGPD and eIDAS.
The typical use case on an online gaming website would be the identification of a person prior to the use of the services. The key is to do this with as little friction as possible.
This process, Mathias told us, consists of three steps:
1. Selfie capture: Face verification. The user looks at the camera and a selfie is captured, along with a video of approximately 1 second duration, on which a passive liveness detection process is run. Answering questions such as Is it a real person or an impersonation? Is it a pre-recorded video? Is he/she wearing masks? Etc.
2. Data extraction and validation of the documents: The user shows the front and back of the identity document, the data is extracted from it and the relevant security checks are performed: from those contained in the document itself, such as the MRZ, as well as technological checks (for example: are you using the same IP and the same device for the whole process?), through checks of the veracity of the same (Is it original or photocopy? Has it been altered? Etc.).
The biometric information is then cross-referenced with the information contained in the photo of the ID document. Does the person in the selfie match the person in the ID document? This selfie scanning and validation process covers more than 200 official documents, almost all the documents in existence worldwide.
3. Activation: In an automated and instantaneous way, the process is validated (or not) by the KYC solution.
Next, Damian tells us how this KYC is part of the revisions to the AML D5 and eIDAS regulatory framework.
¿Qué es AML D5?
Anti-Money Laundering Directive (AML D5) is a European directive relating to the prevention of money laundering and regulating how a client’s onboarding should be to avoid identity fraud and any illegitimate activity.
What is eIDAS?
The European Electronic Identity Recognition System, which regulates and establishes all the requirements regarding the creation and use of digital identities. Therefore, the KYC process follows its technical standards.
Compliance with gaming laws and regulations in Spain, what do they consist of?
In Spain, the Regulation ofthe General Directorate of Gaming Regulation states that companies that are part of the gaming industry are obliged to:
1. Verify through official documentation the identity of the participants of any modality of game;
2. Save information such as the user’s IP, the device he/she has used and his/her ID.
This protects both players and companies. For example, by preventing minors from betting. Preventing certain players from trying to open several accounts to commit fraud, claiming games that are not theirs, etc.
To do this, a process must be created that is as unobtrusive as possible for the customer, while ensuring the highest level of security.
At the digital signature level, there has been a regulatory evolution, being currently Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions (eIDAS Regulation) the one that regulates these aspects.
What is the scope of eIDAS?
The eIDAS regulation applies in all European Union countries:Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom and United States.
Other European countries, not part of the EU, have adapted their legislation to be compatible with this regulation: United Kingdom, Iceland, Norway, Switzerland and Ukraine, or are currently in the process of doing so: North Macedonia and Montenegro.
What are the use cases of electronic signature and KYC in the gaming sector?
Signing of gaming contract
The gaming contract is regulated in art. 31 and 32 of RD 1614/2011, and it is established that it must include (among others) the data of the signatory, as well as the express acceptance;
The same article 31, indicates that it is a private relationship and that its conservation will correspond to the gaming operator, at the same time that it is indicated that the gaming operator should manifest by any means valid in Law. The operator is the one who has to prove such means valid in law, generate all these evidences and keep them, which implies a high cost and risk. Especially if we take into account that the gambling contract can be interpreted as a business relationship and non face-to-face operation, which implies art. 12 of Law 10/2010 on money laundering.
To this end, the electronic signature and KYC identification streamlines the entire process of signing the gaming contract while ensuring full legal guarantees and information security.
How is the process with Alice and Docuten?
We show you, in the case of doing it from a PC, it would start with a QR that would take you to the mobile device and thus be able to perform the video identification, followed by a signature of the contract by OTP code or biometrics.
Note: In this case, the use of the computer mouse to make the signature is not legally valid.
Failure to comply with the gaming contract is a minor infringement of article 41 and the commission of two minor infringements within two years entails a definitive administrative sanction with a fine of between €100,000 and €1M or the suspension of the activity in Spain for a maximum period of 6 months (article 41).
In the first half of 2022, Consumo sanctioned 53 gaming operators for serious or very serious infringements;
Certificates evidencing winnings obtained by players
This is a due diligence measure (art.7 Law 10/2010) and the issuance of these certificates is made upon request;
A common practice is to perform this identification through the player’s payment method. However, not all payment methods have an identification step, so in some cases the payment is not collected.
As an example, says Damian, there is the case of a betting machine in a bar (known as a “slot machine”) in which, when the prize received exceeds 150 euros, this collection has to be done with a validation of the person.
As a solution:
A) With a video identification system we can identify the user when withdrawing cash, regardless of the payment system they use.
B) Signature of an affidavit with the account number, which could be generated from Docuten with minimal friction. Additionally, the certificate of ownership of the bank account could be requested and uploaded to Docuten.
What are the advantages of using remote KYC and digital signature?
- Compliance with current DGOJ legislation on electronic identification.
- Maximum security: prevents fraud by detecting false identity documents and fake identities
- Omnichannel: it is a process accessible from any device with camera, and persistence of information: aaccess to documentation whenever and wherever you want.
- Reduce registration times and new customer churn rate.
- Improve the user experience.
- Saves distances: allows to verify identity and sign remotely, avoiding travel and reducing the time invested.
KYC and Digital Signature, the perfect union
In short, during the first steps of a new player on a gaming platform, he/she will have to identify himself/herself (KYC). So a retake identity verification solution, such as Alice’s, is the best way to perform this step quickly and securely. You can then proceed to sign the gaming contract in order to start using the platform legally. Finally, during the user’s life cycle, he/she will be able to obtain certificates of winnings, in accordance with the due diligence measures (art.7 Law 10/2010);
Thank you very much to Damian Marcos and Mathias Vier for their explanation. For any additional questions, you can contact them through their LinkedIn profiles, or via the web at https://docuten.com/es/contacto/ and https://alicebiometrics.com/es/contact/ respectively.
See you next time!