Are you a Highroller? BEWARE of CASUMO

Under GDPR (Art 6) there are six legal ways for collecting and processing of personally identifiable information (PII):
  • Consent (of the data subject)
  • Contractual obligations (chen the data subject is a contract party)
  • Compliance with legal obligations (based on Union or Member State law)
  • Protection of vital interests (of the data subject or of another natural person)
  • Public interest and authority
  • Controller's legitimate interests
This legal basis has to established prior collecting or processing PII -- including data required for AML purposes. Processing or collecting PII without a clear legal basis is a violation of GDPR.

It's clear that controller has a legal basis for collecting and processing PII when obligated to do so under AML regulations ("compliance with legal obligations"). It should be noted that this should be done in "reasonable and proportionate way of achieving compliance".

"Legitimate interests" as a legal basis is not as clear as "legal obligations". The controller might justify this in cases such as preventing fraud for example, but in all this basis is more open to interpretation. Another example might be a legal obligation which is not based on Union or Member State law but the controller is still required to comply with it.

AML regulations require the collection and processing of a lot of information which might not fit that well with GDPR's legal basis approach. It's a balancing act. The two different sets of requirements (GDPR limiting the use of PII and AML maximising the use of PII) create a number of conflicts when it comes to compliance as a whole.

Generally individuals have the right to access their personal data unless there's an exemption which would justify denying it (Article 23 of the GDPR allows for an individual's rights to be restricted in certain circumstances, for example crime prevention).

The SOF is in most cases the bank account of the client. But this knowledge does not necessarily mean that the funds are from a legitimate source: the bank may have already filed a suspicious activity report (and given consent to approve transfer of funds out of that account) or the bank may have failed to apply approriate KYC/EDD/AML measures themselves.

So the fact that the source of funds is the client's bank account does not mean that appropriate KYC/EDD/AML procedures shouldn't be applied. The level of scrutiny should be based on the company's understanding of the client’s circumstances and risk profile.

The risk is enhanced when the client's funds originate from a third party. But there needs to be consistency and pragmatism here. You have to ascertain the source of funds where necessary. And you have to know how far in the chain it's necessary to have evidence on file of the source of funds. If you ask for an ID from a third party which name shows on your client's bank account statement, why stop there? Where did that third party get the funds?

One thing the companies facing these situations seem to forget: they are not obligated to prove that money is clean, it's about being satisfied the money is consistent with the client risk profile and there's no suspicion of money laundering.

These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.
 
Under GDPR (Art 6) there are six legal ways for collecting and processing of personally identifiable information (PII):
  • Consent (of the data subject)
  • Contractual obligations (chen the data subject is a contract party)
  • Compliance with legal obligations (based on Union or Member State law)
  • Protection of vital interests (of the data subject or of another natural person)
  • Public interest and authority
  • Controller's legitimate interests
This legal basis has to established prior collecting or processing PII -- including data required for AML purposes. Processing or collecting PII without a clear legal basis is a violation of GDPR.

It's clear that controller has a legal basis for collecting and processing PII when obligated to do so under AML regulations ("compliance with legal obligations"). It should be noted that this should be done in "reasonable and proportionate way of achieving compliance".

"Legitimate interests" as a legal basis is not as clear as "legal obligations". The controller might justify this in cases such as preventing fraud for example, but in all this basis is more open to interpretation. Another example might be a legal obligation which is not based on Union or Member State law but the controller is still required to comply with it.

AML regulations require the collection and processing of a lot of information which might not fit that well with GDPR's legal basis approach. It's a balancing act. The two different sets of requirements (GDPR limiting the use of PII and AML maximising the use of PII) create a number of conflicts when it comes to compliance as a whole.

Generally individuals have the right to access their personal data unless there's an exemption which would justify denying it (Article 23 of the GDPR allows for an individual's rights to be restricted in certain circumstances, for example crime prevention).

The SOF is in most cases the bank account of the client. But this knowledge does not necessarily mean that the funds are from a legitimate source: the bank may have already filed a suspicious activity report (and given consent to approve transfer of funds out of that account) or the bank may have failed to apply approriate KYC/EDD/AML measures themselves.

So the fact that the source of funds is the client's bank account does not mean that appropriate KYC/EDD/AML procedures shouldn't be applied. The level of scrutiny should be based on the company's understanding of the client’s circumstances and risk profile.

The risk is enhanced when the client's funds originate from a third party. But there needs to be consistency and pragmatism here. You have to ascertain the source of funds where necessary. And you have to know how far in the chain it's necessary to have evidence on file of the source of funds. If you ask for an ID from a third party which name shows on your client's bank account statement, why stop there? Where did that third party get the funds?

One thing the companies facing these situations seem to forget: they are not obligated to prove that money is clean, it's about being satisfied the money is consistent with the client risk profile and there's no suspicion of money laundering.

These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.

Thanks, so there is a large amount of interpretation and if ultimately the 3rd parties deny access and the player can show that, its down to who to decide?

I guess the controller and such at the casino, following the guidelines. I guess there may not be a need to satisfy the 3rd party requests to get to a decision. From what you are saying the 3rd parties are under no obligation at this stage. Lets say you request but they decline due to data protection you could then get a response in terms of have I satisfied you or not?

I suppose there are trigger points that require certain due diligence to be shown also.

Great Info thanks
 
Also, even if they had the right to ask for the information they are, the person who is being asked for the ID has no legal obligation to do so.

In this case Casumo have admitted they blocked withdrawals (but not deposits) until the OP sent in information, that, quite possibly, was impossible to do.

If they thought he was a problem gambler, or the funds were possibly not clean then the deposits should have been blocked immediately. Clearly they thought there was a RG or AML problem, but happily took that money, and tempted the OP to spend more of his 'stolen money' or 'money he couldn't afford' by sending texts offering bonuses, AFTER they apparently had concerns.

*Note to OP - I am not saying there was a problem, only what Casumo thought.
 
Thanks, so there is a large amount of interpretation and if ultimately the 3rd parties deny access and the player can show that, its down to who to decide?
[...]

Also, even if they had the right to ask for the information they are, the person who is being asked for the ID has no legal obligation to do so.
[...]

This is the main point imo. And the casino knows this. While they would be allowed to process that data under GDPR, the question is how are they able to collect it? If the third parties are not (also) customers of the casino, it's an impasse.

I've dealt with similar situations before. But in these cases the third parties were willing to supply signed statements for file. And they were business transactions. Hardly comparable to playing slots online...
 
... These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.

Apologies for jumping into the middle of things but I wanted to add a comment on the above.

The gathering of player data and "verification" of same is also commonly used as a cover for slow-paying players.
In a number of cases I've dealt with in PABs the operators will demand documents from the player supposedly as part of their "verification" process. Once said documents are provided suddenly more, previously unmentioned, documents are necessary and the ones just given are promptly forgotten and never mentioned again. Not to mention that justification for these document requests, regardless of how invasive they may be, is hardly ever given or explained. Control is very definitely in the operator's hands throughout this process which is somewhat ironic given that the GDPR was supposed to empower the data subject not the data controllers.

Needless to say the same tactics are often used to slow and stall the dispute arbitration process but that's another story.

The bottom line is that abuse of the GDPR by operators is a fairly common thing and it's all done under the guise of "compliance" and "player safety". Doubtless some operators are trying to cover their butts but many are simply using the GDPR as an excuse to frustrate players, tie up their money in red tape and avoid scrutiny during arbitration.

I strongly suspect that the legal teams of casinos everywhere broke out the champagne when the GDPR came into force because they knew sooner than almost all of us that it was going to be a free pass for them to continue dicking players around but now they'd be able to do it with the umbrella excuse of following the GDPR's legal process. The GDPR handed them a nice big stick but said bugger all about the limits and restrictions of its use.
 
Last edited:
For those interested in the above I thought the following might provide worthwhile further reading:
You do not have permission to view link Log in or register now.
You do not have permission to view link Log in or register now.

And since this morning I've just received another ridiculous "can't discuss due to GDPR" excuse from a major operator in response to a player's PAB I think today is the day to start that "GDPR Abusers" list I've been thinking of here at Casinomeister. I'll post a link here when that is live.
 
If they thought he was a problem gambler, or the funds were possibly not clean then the deposits should have been blocked immediately. Clearly they thought there was a RG or AML problem, but happily took that money, and tempted the OP to spend more of his 'stolen money' or 'money he couldn't afford' by sending texts offering bonuses, AFTER they apparently had concerns.

Leaving account open, accepting deposits but not withdrawals is pretty much what they are allowed to do when carrying CDD measures, below is from "MGA Implementing Procedures". After 30 days if requested documents are not received or can't be approved licensee should terminate relationship.

"In carrying out the CDD measures, customers may be allowed to continue using their gaming account while the licensee obtains any necessary information from the customer concerned. However, until such time as the licensee obtains the necessary information and documentation from the customer to meet its CDD obligations, the customer is not to be allowed to effect any withdrawals from the account independently of the amount involved. "
 
And since this morning I've just received another ridiculous "can't discuss due to GDPR" excuse from a major operator in response to a player's PAB I think today is the day to start that "GDPR Abusers" list I've been thinking of here at Casinomeister. I'll post a link here when that is live.

If player is asking help from ADR service like PAB here and give you permission to all information, how's that actually violating GDPR in their replies?
 
If player is asking help from ADR service like PAB here and give you permission to all information, how's that actually violating GDPR in their replies?

In almost all cases no justification for their refusal to cooperate is given beyond a generic and hand-wavey statement like "data protection requirements" or "player data protection".

In practice the people receiving and handling the PABs are fairly far removed from the operator's legal department and it is typically the legal department that gives the marching orders related to the GDPR and complaints resolution.

In other words the Support people handling complaints are given a blanket statement from Legal and that is what they parrot usually without a clue whether it is relevant, applicable, justified or even legitimate.
 
Last edited:
In other words the Support people handling complaints are given a blanket statement from Legal and that is what they parrot whether they have any clue that it is relevant, applicable, justified or even legitimate.

Pretty much same like these SOW and other processes like we see here, legal/compliance team provide very blanket statement about regulations, AML laws and directives etc... but none haven't from request specified anything further to help understand which particular sentence in some law/directive made them to decide to request XYZ.

Like posted earlier, if some casino would like to open up where their decision are based, it could make it easier to accept and understand if these laws/regulations/directives are really demanding such extended requests and if not, then everybody can have their own opinion if these really are needed to fill obligations or not. These all are public documents available for all, so pointing few sentences from there why something is done, would make it much more transparent at least, different story again how many after reading it agree that some demands are not way over they means.

When doing risk assessment, of course it's always up for instance who is doing it how high risk something is categorized and with that we have to live, but would make it clearer what is counted to cause that high risk, is it one or two hundred euro bank transfers from your friends/family etc... or some 50k€ from private person without any information, these both in many casinos (not specifying Casumo here) are dealt with exact same requests to trace source of these funds, even one transaction which is not your salary can lead for these nice requests for explanation where and from who this 50 euros came from (yes, it can be from criminal source but it's to operator to decide how high risk that one transaction is causing to them).
 
The big guns are entering the thread. Lobo likes =)

Excellent research @ternur !

In my case, the amounts transferred to me were between € 200 and € 600 in August (the only period they required bank statements). 4 or 5 transfers from other people.
If you compare that to the total amount transferred to Casumo in 3 years then it is well under 1%.

If I had somehow managed to get handwritten statements and a copy of the ID of the people who had transferred money to me in August ... no way Casumo would be satisfied. I'm sure this would just be the beginning... probably demanding bankstatements from the 3rd parties as well (as you say, @ternur ) - and then started on July, June etc...
Just speculations but they for sure wanted to get rid of me. No doubt in that.
 
If I had somehow managed to get handwritten statements and a copy of the ID of the people who had transferred money to me in August ... no way Casumo would be satisfied. I'm sure this would just be the beginning... probably demanding bankstatements from the 3rd parties as well

Why not, if they only requested their ID:s :) Of course signed letter "Money i have transferred to Luckylobo is amount i have borrowed from him and paying it back now and i also hereby confirm that i have not completed any illegal activites" anything more wasn't asked than only picture of ID:s...

Then of course they would have identity of these persons to see if they are in any PEP or sanction lists, but don't guess many operators do these scans of 3rd party persons who are not their customers. For some it can sounds bit nonsense to start to now ask some 3rd party ID:s to find out if that small amount compare to your deposits has AML concerns or not if it really is just small drop of your deposits within time your statement was requested to show all transactions but maybe just these transactions were found to be relevant, no matter if your salary or other incomes can support your spending, as long you can provde ID:s of your friends who have transferred money to your account.
 
I actually told one of the person who had sent me money what was happening, and that Casumo asked for a statement and his ID. He just laughed and said "Sorry, you must be crazy". After that I knew this was an impossible task to fulfill :/
 
I actually told one of the person who had sent me money what was happening, and that Casumo asked for a statement and his ID. He just laughed and said "Sorry, you must be crazy". After that I knew this was an impossible task to fulfill :/

It's understandable that question is raised about transactions where private persons are transferring you money, but it's an other question that when you have reason to think that you need to ask source of funds for that specific transaction, if amount is like 200€ you mentioned in your example and it's single transaction (if same person keep sending you money constantly, then it's understandable to request why and what is that), i doubt that there is not very big risk for huge fine from any regulator. Of course again if your statement looks that it's full of transactions from private persons which clearly looks that you are getting all the time transfers where can't be known what and why (like your salary usually can be seen from reference and who is paying that). But would count it "bit" over protecting to start to SOF investigations from single transaction or two which are not repetitive and only amount of €200 or something.

All who are operating under AML regulations (online casinos included) are demanded to have their ongoing monitoring in place to be able to recognize suspicious activities, how and what they want to investigate it's up to them as long all regulations are followed. If they think that some transaction is suspicious or customer for some reason is showing any risk elements, then due diligence need to done and how specific it is, is based on risk assessment made.

Asking proof of all transactions you received to your account looks pretty much that you are categorized to be quite high risk customer for operator :)
 
Asking proof of all transactions you received to your account looks pretty much that you are categorized to be quite high risk customer for operator :)
For sure I am categorized as "high risk - do not touch - kill with fire" - customer. When I think about it they have actually never gotten real (I mean real real) proof where the money actually are coming from, except 25% or so... so I kinda understand that they suddenly now became worried about my account. Is that really my fault tho?
This WSO-thing they should have done much earlier.

Note: As a player at Casumo I would not have been worried as longest the amounts you are depositing each month do not exceed your monthly salary.
If you are above (after f.ex a big win at another casino or sold some stuff etc); stay away. Split the money up to different (trusted) casinoes intead.

Note2: My VIP manager has stopped answering my questions. She probably has been instructed to do so.
 
Last edited:
Note2: My VIP manager has stopped answering my questions. She probably has been instructed to do so.

Like Maxd also stated, that's very normal practice to do when that mystical legal department advise just to speak about that secrect law we need to follow but we don't really don't know what we are doing or for some reason not willing to explain it to customer as it would be at least polite manner to do. Only "because we have to bla bla bla" is not really much explained, but more you don't get.

Your VIP manager, reps here etc.. are told by that legal department not to comment anything which is pretty much understandable when you don't have answers to questions raised.
 
My understanding is that the casino manager goes to the legal team and asks one question: "How I will not get fined?"
And legal says: "Ask for that"
Manager: "Do they have to give it?"
Legal: "No, but you can ask and not let them cashout! ;)"

In other words, since they have permission from the regulators to ask the impossible and stop cashouts, they are doing it.

And the regulators? They get to say they care because they fine the online industry with millions.
And what about the players? The truth is that, politically speaking, gamblers are at the bottom, nobody cares about upsetting them.
 
My understanding is that the casino manager goes to the legal team and asks one question: "How I will not get fined?"
And legal says: "Ask for that"
Manager: "Do they have to give it?"
Legal: "No, but you can ask and not let them cashout! ;)"

In other words, since they have permission from the regulators to ask the impossible and stop cashouts, they are doing it.

And the regulators? They get to say they care because they fine the online industry with millions.
And what about the players? The truth is that, politically speaking, gamblers are at the bottom, nobody cares about upsetting them.

Yeah, i think that the fact that these "checks" always seem to appear during withdrawals and not deposits speaks volumes about why they are made.
They take deposits no problem, but if the person manages to get a cashout, suddenly its "Oh no, we have to see if you can afford to gamble at the rate you are doing"
Bullshit is what it is.
 
The useless UKGC should implement a rule stating that if a deposit is accepted, then a withdrawal of any amount up to the account balance is allowed. Any SOW, ID check etc should it be deemed necessary by a casino should be carried out before accepting said deposit. Once a customer deposits successfully, then the casino should pay any winnings achieved with that deposit.
 
They are just covering themselves so nothing wrong in that regard but some of the requests do seem excessive
 
The useless UKGC should implement a rule stating that if a deposit is accepted, then a withdrawal of any amount up to the account balance is allowed. Any SOW, ID check etc should it be deemed necessary by a casino should be carried out before accepting said deposit. Once a customer deposits successfully, then the casino should pay any winnings achieved with that deposit.
Essentially that's how it is. If they accept a deposit and allow you to make one spin they are confirming that verification is complete as well as SOW as per Section 17 LCCP. In the real world some casinos don't understand/choose to ignore this.
 
Casinos are obligated to complete SOW and other checks, just way how these still now after quite a time when they really started to do these in practice (these obligations have been there much longer than most of casinos actually started to implement these to be standard practice like basic KYC checks). These practices just really sometimes are bit over extended when these could have much more risk based approach.

As stated here by some reps, many are using some quite simple triggers like lifetime thresholds which then triggers these to for one €£10 deposit/withdrawal requests and when blindly followed, can lead to bit absurd situation, like in one thread here casino gave no deposit free spins and when player won with these, withdrawal triggered that lifetime threshold to complete SOW verification. Quite obviously there was no big concerns of money laundering from players side as money came for free from casino and if there were any RG concerns, giving freespins to player is not really best practice you deal with player with RG concerns.

SOW/SOF verifications are not that simple black and white like verify players ID or ownership of credit card from taken pictures what is done pretty much for all players. SOW as part of ongoing KYC monitoring is one part of casinos KYC process and totally normal, problematic (for players at least) base what we read from experiences here and other forums if that casinos often (or at least these ones who have been here in threads, there are at least some who are fully compliant but make these processes much more convenient for players) don't use too much risk based approach and review all information and history they have from player to judge how high risk this certain player cause but ask pretty much same amount of different proofs from player who don't actually have any points which would suggest to have nothing but very low risk in payment methods, deposit patterns, geographically etc... that to other who have some or all of these triggering big big red.

It's for sure most safe way to ask from all players explanation for every single transaction coming and going from their bank account, then you don't miss any criminal activities or it's probably hidden so well that you can't be expected to find it, but it's for sure not necessary in all occasions and pretty much nightmare for some players when like here you are requested 3rd party ID from several people. Casino players also receive (hopefully at least sometimes) winnings from other casinos which don't clearly show in statement where these are coming and then you are to request proof of winnings from all casinos etc... It's totally understandable that casinos want to be compliant and that's what they should be, question here have been that are these all requests reasonable or not, how big trouble in audit casino can get if they don't ask proof of of one £€200 transfer from private person if it's one single transaction and player state that it's from friend? One of the funniest request seen some weeks ago was when player was requested proof of some (ok quite big amounts so perfectly understandable to ask where it's coming from) transaction received to bank account, this was actually winnings paid casino itself two months ago... which gives an idea how well that particular casino is actually doing their reviews and assessments.... Easiest way without spending too much time to review activities on playets bank and gaming account of course is ask player to explain them all and do that work instead of having more people to work in ongoing KYC monitoring and using more human brains than automatic triggers which are good to have but following only these without any or very little review of human eye, do cause these kind of "funny" situations and even pointed casino that it's bit ridiculous, there are not many who accept it and can stand corrected in some incidents but that blanket answer for AML regulations, legal team and GDPR are more convenient.
 
Some great points, @Slottery :)

Scenario 1: Let's say a player shows strong signs of being a problem gambler.The casino concludes (after a KYC) that the player cannot afford to play with such high stakes. That results in locking of the account and the casino confiscates the players money.
I mean, what the actually fuck gives the casinoe the right to confiscate the money of an vulnerable player? Can someone point me to some written rules/guidelines either at Casumo or MGA?

Scenario 2: the player is slammed with an impossible KYC (statements and ID's to 3. parties etc).
They player failes to provied such documents and the account is closed and the players money is confiscated. Do the casino really have the right to confiscate / steal the money? Can someone point me to some T&C?
What is happening with that money?

I was really unaware of the rules and guidelines the casino must follow when it comes to gambling addiction (and money laundering)... until Casumo decided to throw me under the bus.
 

Users who are viewing this thread

Meister Ratings

Back
Top