Casinos By Status
Popular Filters
By Banking Options
All Games
Popular Bonus Filters
Popular Forums
Forum User Features
Recent Forum Threads
Submit A Complaint (PAB)
PAB Rules and Guidelines
Browse PABs
Popular News Sections
Recent News
Under GDPR (Art 6) there are six legal ways for collecting and processing of personally identifiable information (PII):
This legal basis has to established prior collecting or processing PII -- including data required for AML purposes. Processing or collecting PII without a clear legal basis is a violation of GDPR.
- Consent (of the data subject)
- Contractual obligations (chen the data subject is a contract party)
- Compliance with legal obligations (based on Union or Member State law)
- Protection of vital interests (of the data subject or of another natural person)
- Public interest and authority
- Controller's legitimate interests
It's clear that controller has a legal basis for collecting and processing PII when obligated to do so under AML regulations ("compliance with legal obligations"). It should be noted that this should be done in "reasonable and proportionate way of achieving compliance".
"Legitimate interests" as a legal basis is not as clear as "legal obligations". The controller might justify this in cases such as preventing fraud for example, but in all this basis is more open to interpretation. Another example might be a legal obligation which is not based on Union or Member State law but the controller is still required to comply with it.
AML regulations require the collection and processing of a lot of information which might not fit that well with GDPR's legal basis approach. It's a balancing act. The two different sets of requirements (GDPR limiting the use of PII and AML maximising the use of PII) create a number of conflicts when it comes to compliance as a whole.
Generally individuals have the right to access their personal data unless there's an exemption which would justify denying it (Article 23 of the GDPR allows for an individual's rights to be restricted in certain circumstances, for example crime prevention).
The SOF is in most cases the bank account of the client. But this knowledge does not necessarily mean that the funds are from a legitimate source: the bank may have already filed a suspicious activity report (and given consent to approve transfer of funds out of that account) or the bank may have failed to apply approriate KYC/EDD/AML measures themselves.
So the fact that the source of funds is the client's bank account does not mean that appropriate KYC/EDD/AML procedures shouldn't be applied. The level of scrutiny should be based on the company's understanding of the client’s circumstances and risk profile.
The risk is enhanced when the client's funds originate from a third party. But there needs to be consistency and pragmatism here. You have to ascertain the source of funds where necessary. And you have to know how far in the chain it's necessary to have evidence on file of the source of funds. If you ask for an ID from a third party which name shows on your client's bank account statement, why stop there? Where did that third party get the funds?
One thing the companies facing these situations seem to forget: they are not obligated to prove that money is clean, it's about being satisfied the money is consistent with the client risk profile and there's no suspicion of money laundering.
These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.
Thanks, so there is a large amount of interpretation and if ultimately the 3rd parties deny access and the player can show that, its down to who to decide?
[...]
Also, even if they had the right to ask for the information they are, the person who is being asked for the ID has no legal obligation to do so.
[...]
... These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.
If they thought he was a problem gambler, or the funds were possibly not clean then the deposits should have been blocked immediately. Clearly they thought there was a RG or AML problem, but happily took that money, and tempted the OP to spend more of his 'stolen money' or 'money he couldn't afford' by sending texts offering bonuses, AFTER they apparently had concerns.
And since this morning I've just received another ridiculous "can't discuss due to GDPR" excuse from a major operator in response to a player's PAB I think today is the day to start that "GDPR Abusers" list I've been thinking of here at Casinomeister. I'll post a link here when that is live.
If player is asking help from ADR service like PAB here and give you permission to all information, how's that actually violating GDPR in their replies?
In other words the Support people handling complaints are given a blanket statement from Legal and that is what they parrot whether they have any clue that it is relevant, applicable, justified or even legitimate.
If I had somehow managed to get handwritten statements and a copy of the ID of the people who had transferred money to me in August ... no way Casumo would be satisfied. I'm sure this would just be the beginning... probably demanding bankstatements from the 3rd parties as well
I actually told one of the person who had sent me money what was happening, and that Casumo asked for a statement and his ID. He just laughed and said "Sorry, you must be crazy". After that I knew this was an impossible task to fulfill :/
For sure I am categorized as "high risk - do not touch - kill with fire" - customer. When I think about it they have actually never gotten real (I mean real real) proof where the money actually are coming from, except 25% or so... so I kinda understand that they suddenly now became worried about my account. Is that really my fault tho?Asking proof of all transactions you received to your account looks pretty much that you are categorized to be quite high risk customer for operator
Note2: My VIP manager has stopped answering my questions. She probably has been instructed to do so.
My understanding is that the casino manager goes to the legal team and asks one question: "How I will not get fined?"
And legal says: "Ask for that"
Manager: "Do they have to give it?"
Legal: "No, but you can ask and not let them cashout! "
In other words, since they have permission from the regulators to ask the impossible and stop cashouts, they are doing it.
And the regulators? They get to say they care because they fine the online industry with millions.
And what about the players? The truth is that, politically speaking, gamblers are at the bottom, nobody cares about upsetting them.
Essentially that's how it is. If they accept a deposit and allow you to make one spin they are confirming that verification is complete as well as SOW as per Section 17 LCCP. In the real world some casinos don't understand/choose to ignore this.The useless UKGC should implement a rule stating that if a deposit is accepted, then a withdrawal of any amount up to the account balance is allowed. Any SOW, ID check etc should it be deemed necessary by a casino should be carried out before accepting said deposit. Once a customer deposits successfully, then the casino should pay any winnings achieved with that deposit.