AML Stuff, VPN's and general reasons why all the scrutiny :)

Igor82

Senior Member
Joined
Apr 15, 2012
Location
Malta
Hi all,

Last week we had a potential AML case being strongly advertised in the complaints section and as always a lot of speculative opinion came out in respect of some regulations and requirements set upon players. As a result, I promised to delve into these issues in an open forum once the PAB case closes, so here it is.

We cant have this post being "fraud-ED 101", so the information is limited to what is generally researchable on-line and what is generally known to be required by operators & regulators alike. We wont be looking into what we do and how we do it, beyond the basics. I've outlined some general information that has surfaced though questions in the PAB thread and then I posted most interesting comments from the thread itself & commented specifically on those.

VPN (Virtual Private Networks) and Proxy use

First off, there was talk about VPN use, whether it is rightfully frowned upon and why would it be used. For the less IT-savvy out there i'd like to explain VPN use in brief:

I personally use it :)

Our backed systems and various admin tools are accessible via web-based interface. That allows us to expand our resource globally and look/act on an issue from any location in the world. It's a very nifty feature to have and many industries world wide use web-based software administrations due to raising demand for globally paced resource. However, that also increases a risk of hacking, by which should a hacker ever know the correct IP/address to visit, they would have an open field day in terms of tools that operate a casino or any e-commerce business. Realistically, this stretches far beyond e-commerce in this day and age, web based administrations are widely used in many industries.

Here comes in VPN - for the sake of security all of the access would be limited to a single IP, our office IP servers which are "backbone" (direct line, no hackable internet hops) connected to the administration servers. Hence, if I try to access any part of my business from anywhere in the world, including my home, I would be blocked. I simply wouldnt find what im looking for as my IP is not on the list of acceptable IP's to allow access to. A secure VPN connection set up on my machine will ensure that anywhere in the world I'm linking through to necessary access via my Office IP and as such i'm "allowed" to pass.

4488876837_8d3da2423a.jpg

Above is an easily researched function of a VPN world wide, as any person employed in a corporate infrastructure with access to work administrations from a laptop will be familiar with. That is why our casinos and many other casinos will allow use of VPN's if previously notified and will expect to see additional IP in the list. This is also why two or more players may appear to come from the same IP, which any reputable casino will investigate and clear with sufficient explanation given.

On it's own, this *isn't a deal breaker* it merely will raise additional questions which you need to be prepared to answer and the reason for that is because you are hiding your native IP and hence, location, every time you do this.

So, what's the problem then, you may ask? Well, there's legit use of VPN and then - there's a fallacy. There is a number of anonymous PROXY services out there advertised as VPN security services - it's like finding a full report on how to hack into a persons computer on a site advertised as providing anti-hacking measures. Total bull-cr*p.

Here's a few example of such sites:

Outdated URL (Invalid) > HIDE-MY-ASS > this particular "VPN security" site name is a dead give-away toward the true nature of their services.
Outdated URL (Invalid) - this site advertises that you can PAY for their services anonymously by using voucher gift cards like Starbucks, Target, Macy's etc...

These aren't VPN sites, these are PROXY sites which advertise as security sites for legal reasons, but offer absolute anonymity. There are fraudsters heaven. Serious fraudsters don't even buy services such as these, they have their own underground networks they connect to. No player that buys this service for legitimate reasons is also required to hide their origin, it is a setting they CHOOSE to use, making their reasons non-legitimate.

Without telling you how, kindly know that *WE KNOW THE DIFFERENCE* - there are some really smart people working on on-line security with most operators and they have advanced technology on their side. There is a clear distinction between using VPN as part of your day-to-day browsing and using a Proxy VPN to "hide yo' ass" - these days you'll be caught and frankly, the latter will be evidence strong enough to disregard your rationale for using services of that nature.

We need to know WHO YOU ARE and WHERE YOU ARE at all times when using our services - otherwise don't bother playing.

That brings me to the latest hurdle we are overcoming - mobile use. 3G,4G and even GPRS providers and telephony networks have different range of assigned IP's and are currently messing with old fraud rules and flags. Your IP may appear to jump around beyond the rationale of your randomly assigned ISP range of IP's and even sometimes appear to have jumped countries. Players may have experienced risk departments questioning them in respect of their log-in IP's that they wouldn't be able to answer to.

Kindly explain your use of 3G connectivity. If the operators haven't picked up on it yet, it will give them enough information to check the validity of your answer and act upon it without putting you in the high-risk segment.

We have upgraded the logic of our systems already and I'm certain many operators out there have also, these days mobile users are recognised through a serious of other information we receive and are catered to respectively. Again, trust your certified operators to do their job. the vast majority of them is ahead of the fraud game, for your own protection, ultimately.

More capable we are, the less we need to put generic "at our discretion" statements which are IMHO an easy cop-out from doing the hard work. That's also the reason why Bryan does not allow such statements to be freely used. It's our job to know what we are doing.


********************************

Voucher Cards and other Anonymous Payment methods

There was a good statement from a loyal customer of ours stating that if we allowed anonymous payment methods then we should be OK with allowing fishy operation if we cannot 100% prove it. I'm sorry abut that's not correct. I'll get to "absolute proof" vs "very strong evidence" later on and how it relates to the weight of responsibility for this industry.

Firstly, we are a commercial business. We're here to make money, like any other business. We offer a service, which in this case is an opportunity to walk out with more than you walked in with. For such service we retain a cut, which player see as "house edge" - a house advantage ranging from 0.21% to 5-6% on games played.

The maths are really simple when it's broken down to basics. The casinos ensure their profit from their portfolio of clients as a whole and not from each and every individual player. Common sense: if every player was guaranteed to lose, there would be no interest.

Secondly, we are a globally serving business, with global requirements and difficulties. Who is to say that we should punish every voucher user out there, punish our business and ability to generate valued (&valid) customers, for the sake of potential risk that is connected to a part of the operation we are running? I think that's misplaced logic.

We should strive to give every opportunity to use our services, to every customer, while keeping our diligence on high alert at all times. There are many customers that genuinely like using vouchers, as it is readily available in their region and allows them solid bankroll management, simply because they do not connect their direct bank account to the thrills of gambling that carry it's inherent dangers.

Likewise, it's important to note that our own business carries ZERO deposit and withdrawal charges. That means we assume the entirety of payment gateway costs, which for anyone that tried loading their e-wallet account with a voucher, is known to go up as high as 10%. This lack of transactional costs make my casino launderer's haven - much cheaper than the "next door neighbour".

So do we stop vouchers and make ourselves less competitive on the market, do we place massive costs on transactions and punish everyone, or do we increase our diligence and ensure the right guys get pinched. I'd like to think that every genuine player out there will agree with me in saying, get your diligence up Igor, and let us enjoy our game-play...

So how do we know, and when? As my foolishly transparent team has informed the customer already, there are some rules that we look out for. And as the community dissected those, they did so by dissecting each and individual rule which was a small part of the big picture. Individually, those rules shown (and many thankfully not shown) may not mean much, but each carry a weight that contributes to the overall impression and profile of that customer. Keep in mind that we are in the business of mathematics - and we are really good at it (ought to be at least) and i assure you that there are clear signs when game-play can be directly translated into intent. That's important.

When a player raises the first warning flag, a process begins - and it is not a straight forward one. That player will be put through scrutiny where every part of their experience is analysed and profiled by people that have a wealth of experience. A probability of innocence is weighted and assigned based on many elements that are looked into. Finally, an action will be taken. In the latest example that action was proof of origin of funds, or in some cases a customer may be asked to hold their ID next to their face, or sign a credit card statement, etc..

In this example, a good question was raised - how does a proof that vouchers were purchased prove anything with regards to actual origins of funds? Excellent question and bring me to the last point in this little essay:

************************************************************

Anti Money Laundering Regulation and Responsibilities put upon operators and providers

Historically, Casinos are the easiest way to launder money. Some members here posted links to how it worked across 1 MILLION pounds laundered at a cost of approximately 9%. That's pretty cheap and carries risks of physical presence to boot. The operator in question got penalised in the end and all their profits were taken away, which frankly is a very light sentence.

Each operator has what is called AMLO - Anti Money Laundering Officer, which is businesses will be either the highest point of responsibility, or highest point of "risk" responsibility (say Head of Risk). That person is then *criminally* responsible to ensure correct processes are in place to decrease, mitigate and eradicate laundering attempts within their operation. Just to be perfectly clear, if someone was foolish enough not to be stringent in their processes, not only would their negligence cost them any earnings, but they would be criminally responsible as an accomplice. That's a pretty pointed chair to be sitting on.

That brings me to "absolute proof". This is not a court of law, and while every step should be taken to emulate the process of such court, the reality stays that it is in fact - not court of law. The lack of "customer present" scenario, versatility of globally serving audience and the fact that laundering is in fact profitable for casinos, make the legal requirements on reporting such acts extremely stringent. When we fail, either through negligence or purposeful non-compliance, we are put in the same pot as those that use our services to launder.

As such, we only need to (EDIT: are obliged to) ensure "sufficient reasons of doubt" are generated in order to escalate the case to authorities, which accept or deny our claims. That brings me to answering the last point in the thread: How does proof of card purchase prove origin of funds?

Frankly, it does not in the grand scheme of things, but it does in relevance to our business. We aren't Interpol, Interpol is Interpol. We are a service provider which requires that proof of origin of funds is catered to when depositing funds into our business. Hence, screenshot of your credit cards, your proof of residence and your ID's. Hence the need to certify each new payment method you employ with an operator. We are bound to secure the point of origin into OUR business - it is government job to then investigate further if there is ever any need to.

So my final advice on the topic: If you use vouchers, keep the receipts of your deposit purchases until you either spent the funds or had your withdrawal processed.

- If you use VPN, declare it!
- If you play from your home with your boyfriend/girlfriend,wife, etc. - declare it!
- If you own a card from a different country than your residence, declare it!

If you feel there is an element to your life that is different to the norm, check, ask,confirm and inform yourself. You will find that operators are more understanding when they don't have to "hunt" for possible reasons. In this thread someone had mentioned this payer asked beforehand and we approved - that isn't true. This player was caught, gave an explanation that only made sense for a short period of time until other information became apparent and as a result was caught in a lie.

Hiding your true reasons for behaving "out of norm" will only put you in a position where, even if in extremely rare cases of genuinity, once confronted you are in a losing position. One sign of dishonesty will label you across the board and operators will not risk it. So be genuine! If that particular place does not have understanding for your situation, competition is fierce out there - you will find a place that does.

We don't need absolute proof, we need "sufficient reason to doubt" and if you give sufficient reason, if you are in any way dishonest, then the burden of proof falls on you and you will have no one to blame but yourself.

That last part read a bit like a warning, and frankly it is to any "fraud-ed 101" seeker out there. To the rest, i hope above provided some clarity as to why and how the things work as they work, and I hope that next time you are confronted with what feels scrutiny and breach of privacy you will understand that ultimately it is done for safety and security of yourself as much as for the protection of legality of the operation you are entrusting your money to.

Cheers

Igor
 
Last edited:

Igor82

Senior Member
Joined
Apr 15, 2012
Location
Malta
Cant Blog this :(

It's some 5,000 words too long. Bryan, is there any way to get this on my blog from your side?
 
Top