Are you a Highroller? BEWARE of CASUMO

bamberfishcake

Senior Member
MM
Joined
Jan 8, 2019
Location
Essex
Couple of things...

1) The timing is bad.....to ask for further information when a large withdrawal rocks up will get peoples backs up and start to question why.

Not directed specifically at you Casumo but too many Casinos are using these rulings to their advantage and not what they are intended for - again, not saying that is you Casumo but arguably, your timing is bad and raises questions - Credit to you for being proactive and sending that recent email regarding requests for information to your customers.

2) @trancemonkey is correct - the only question that needs answering is 'Are casinos entitled to ask for 3rd parties information under the anti money laundering rules and regulations?' - all data processes fall under those rules and guidelines. If so, Casumo cannot justify or validate their requests as its not their ruling. They also cannot be seen saying 'we know its not fair, but we gotta ask for it'.
 

bamberfishcake

Senior Member
MM
Joined
Jan 8, 2019
Location
Essex
But if they think Luckylobo is laundering money and is part of a criminal network its not their job to investigate. They aren't the police or any other authority. They are just a company.


Im surely no expert, but I just can't imagine that sending third party information to a company in another country is legal under any circumstances.

The anti money laundering policies in the UK are crazy. You get less for murder than fraud and money laundering.
 

Lobo

Repeated violations of rule 1.18 - being a PITA
PABnoaccred2
Joined
Apr 21, 2018
Location
Scandinavia
It might be irrelevant, but I'll be totally clear with you: I have not been laundering money at Casumo. Every single cent has been taxed.
I am positive this is due to signs of problem gambling and a somewhat failed SOW back in 2018.
I guess my VIP account has gone under the radar for some time.

If I was laundering money I would not have done it this way :machinegunner:

I'll promise you we'll get the answers. Might take some time, but we'll get them.
 
Last edited:

bamberfishcake

Senior Member
MM
Joined
Jan 8, 2019
Location
Essex
It might be irrelevant, but I'll be totally clear with you: I have not been laundering money at Casumo. Every single cent has been taxed.
I am positive this is due to signs of problem gambling and a somewhat failed SOW back in 2018.
I guess my VIP account has gone under the radar for some time.

If I was laundering money I would not have done it this way :machinegunner:

I'll promise you we'll get the answers. Might take some time, but we'll get them.

For the record and I dont think you personally meant me but i dont think you have been money laundering. If you had I dont think you would be dicsussing it in a forum. I like to think you would be on the run somewhere in a disguise like groucho marx
 

Lobo

Repeated violations of rule 1.18 - being a PITA
PABnoaccred2
Joined
Apr 21, 2018
Location
Scandinavia
For the record and I dont think you personally meant me but i dont think you have been money laundering. If you had I dont think you would be dicsussing it in a forum. I like to think you would be on the run somewhere in a disguise like groucho marx
I've always liked ghostbusters, so I definitely be dressed up as ghostbusters :D

No worries, mate - I just read so much about money laundering here, so I just had to reply.
 

ternur

Destroying castles in the sky
webby
CAG
mm3
Joined
Nov 25, 2004
Location
Finland
Under GDPR (Art 6) there are six legal ways for collecting and processing of personally identifiable information (PII):
  • Consent (of the data subject)
  • Contractual obligations (chen the data subject is a contract party)
  • Compliance with legal obligations (based on Union or Member State law)
  • Protection of vital interests (of the data subject or of another natural person)
  • Public interest and authority
  • Controller's legitimate interests
This legal basis has to established prior collecting or processing PII -- including data required for AML purposes. Processing or collecting PII without a clear legal basis is a violation of GDPR.

It's clear that controller has a legal basis for collecting and processing PII when obligated to do so under AML regulations ("compliance with legal obligations"). It should be noted that this should be done in "reasonable and proportionate way of achieving compliance".

"Legitimate interests" as a legal basis is not as clear as "legal obligations". The controller might justify this in cases such as preventing fraud for example, but in all this basis is more open to interpretation. Another example might be a legal obligation which is not based on Union or Member State law but the controller is still required to comply with it.

AML regulations require the collection and processing of a lot of information which might not fit that well with GDPR's legal basis approach. It's a balancing act. The two different sets of requirements (GDPR limiting the use of PII and AML maximising the use of PII) create a number of conflicts when it comes to compliance as a whole.

Generally individuals have the right to access their personal data unless there's an exemption which would justify denying it (Article 23 of the GDPR allows for an individual's rights to be restricted in certain circumstances, for example crime prevention).

The SOF is in most cases the bank account of the client. But this knowledge does not necessarily mean that the funds are from a legitimate source: the bank may have already filed a suspicious activity report (and given consent to approve transfer of funds out of that account) or the bank may have failed to apply approriate KYC/EDD/AML measures themselves.

So the fact that the source of funds is the client's bank account does not mean that appropriate KYC/EDD/AML procedures shouldn't be applied. The level of scrutiny should be based on the company's understanding of the client’s circumstances and risk profile.

The risk is enhanced when the client's funds originate from a third party. But there needs to be consistency and pragmatism here. You have to ascertain the source of funds where necessary. And you have to know how far in the chain it's necessary to have evidence on file of the source of funds. If you ask for an ID from a third party which name shows on your client's bank account statement, why stop there? Where did that third party get the funds?

One thing the companies facing these situations seem to forget: they are not obligated to prove that money is clean, it's about being satisfied the money is consistent with the client risk profile and there's no suspicion of money laundering.

These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.
 

bamberfishcake

Senior Member
MM
Joined
Jan 8, 2019
Location
Essex
Under GDPR (Art 6) there are six legal ways for collecting and processing of personally identifiable information (PII):
  • Consent (of the data subject)
  • Contractual obligations (chen the data subject is a contract party)
  • Compliance with legal obligations (based on Union or Member State law)
  • Protection of vital interests (of the data subject or of another natural person)
  • Public interest and authority
  • Controller's legitimate interests
This legal basis has to established prior collecting or processing PII -- including data required for AML purposes. Processing or collecting PII without a clear legal basis is a violation of GDPR.

It's clear that controller has a legal basis for collecting and processing PII when obligated to do so under AML regulations ("compliance with legal obligations"). It should be noted that this should be done in "reasonable and proportionate way of achieving compliance".

"Legitimate interests" as a legal basis is not as clear as "legal obligations". The controller might justify this in cases such as preventing fraud for example, but in all this basis is more open to interpretation. Another example might be a legal obligation which is not based on Union or Member State law but the controller is still required to comply with it.

AML regulations require the collection and processing of a lot of information which might not fit that well with GDPR's legal basis approach. It's a balancing act. The two different sets of requirements (GDPR limiting the use of PII and AML maximising the use of PII) create a number of conflicts when it comes to compliance as a whole.

Generally individuals have the right to access their personal data unless there's an exemption which would justify denying it (Article 23 of the GDPR allows for an individual's rights to be restricted in certain circumstances, for example crime prevention).

The SOF is in most cases the bank account of the client. But this knowledge does not necessarily mean that the funds are from a legitimate source: the bank may have already filed a suspicious activity report (and given consent to approve transfer of funds out of that account) or the bank may have failed to apply approriate KYC/EDD/AML measures themselves.

So the fact that the source of funds is the client's bank account does not mean that appropriate KYC/EDD/AML procedures shouldn't be applied. The level of scrutiny should be based on the company's understanding of the client’s circumstances and risk profile.

The risk is enhanced when the client's funds originate from a third party. But there needs to be consistency and pragmatism here. You have to ascertain the source of funds where necessary. And you have to know how far in the chain it's necessary to have evidence on file of the source of funds. If you ask for an ID from a third party which name shows on your client's bank account statement, why stop there? Where did that third party get the funds?

One thing the companies facing these situations seem to forget: they are not obligated to prove that money is clean, it's about being satisfied the money is consistent with the client risk profile and there's no suspicion of money laundering.

These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.

Thanks, so there is a large amount of interpretation and if ultimately the 3rd parties deny access and the player can show that, its down to who to decide?

I guess the controller and such at the casino, following the guidelines. I guess there may not be a need to satisfy the 3rd party requests to get to a decision. From what you are saying the 3rd parties are under no obligation at this stage. Lets say you request but they decline due to data protection you could then get a response in terms of have I satisfied you or not?

I suppose there are trigger points that require certain due diligence to be shown also.

Great Info thanks
 

colinsunderland

Experienced Member
webmeister
MM
Joined
Jan 28, 2016
Location
uk
Also, even if they had the right to ask for the information they are, the person who is being asked for the ID has no legal obligation to do so.

In this case Casumo have admitted they blocked withdrawals (but not deposits) until the OP sent in information, that, quite possibly, was impossible to do.

If they thought he was a problem gambler, or the funds were possibly not clean then the deposits should have been blocked immediately. Clearly they thought there was a RG or AML problem, but happily took that money, and tempted the OP to spend more of his 'stolen money' or 'money he couldn't afford' by sending texts offering bonuses, AFTER they apparently had concerns.

*Note to OP - I am not saying there was a problem, only what Casumo thought.
 

ternur

Destroying castles in the sky
webby
CAG
mm3
Joined
Nov 25, 2004
Location
Finland
Thanks, so there is a large amount of interpretation and if ultimately the 3rd parties deny access and the player can show that, its down to who to decide?
[...]

Also, even if they had the right to ask for the information they are, the person who is being asked for the ID has no legal obligation to do so.
[...]

This is the main point imo. And the casino knows this. While they would be allowed to process that data under GDPR, the question is how are they able to collect it? If the third parties are not (also) customers of the casino, it's an impasse.

I've dealt with similar situations before. But in these cases the third parties were willing to supply signed statements for file. And they were business transactions. Hardly comparable to playing slots online...
 

maxd

Complaints (PAB) Manager
Staff member
Joined
Jan 20, 2004
Location
Saltirelandia
... These companies are not the police investigating potential crimes. It seems that some forget this in their fear of getting fined. Even though the sanctions in most cases have related to RG and not failures in AML compliance as such.

Apologies for jumping into the middle of things but I wanted to add a comment on the above.

The gathering of player data and "verification" of same is also commonly used as a cover for slow-paying players.
In a number of cases I've dealt with in PABs the operators will demand documents from the player supposedly as part of their "verification" process. Once said documents are provided suddenly more, previously unmentioned, documents are necessary and the ones just given are promptly forgotten and never mentioned again. Not to mention that justification for these document requests, regardless of how invasive they may be, is hardly ever given or explained. Control is very definitely in the operator's hands throughout this process which is somewhat ironic given that the GDPR was supposed to empower the data subject not the data controllers.

Needless to say the same tactics are often used to slow and stall the dispute arbitration process but that's another story.

The bottom line is that abuse of the GDPR by operators is a fairly common thing and it's all done under the guise of "compliance" and "player safety". Doubtless some operators are trying to cover their butts but many are simply using the GDPR as an excuse to frustrate players, tie up their money in red tape and avoid scrutiny during arbitration.

I strongly suspect that the legal teams of casinos everywhere broke out the champagne when the GDPR came into force because they knew sooner than almost all of us that it was going to be a free pass for them to continue dicking players around but now they'd be able to do it with the umbrella excuse of following the GDPR's legal process. The GDPR handed them a nice big stick but said bugger all about the limits and restrictions of its use.
 
Last edited:

maxd

Complaints (PAB) Manager
Staff member
Joined
Jan 20, 2004
Location
Saltirelandia
For those interested in the above I thought the following might provide worthwhile further reading:
https://www.casinomeister.com/forum...eneral-data-protection-regulation-gdpr.87331/https://thepogg.com/the-data-protection-lie-using-a-legal-mis-direction-to-legitimise-bad-practice/
And since this morning I've just received another ridiculous "can't discuss due to GDPR" excuse from a major operator in response to a player's PAB I think today is the day to start that "GDPR Abusers" list I've been thinking of here at Casinomeister. I'll post a link here when that is live.
 

Slottery

Senior Member
PABnoaccred
MM
Joined
Aug 21, 2017
Location
Malta
If they thought he was a problem gambler, or the funds were possibly not clean then the deposits should have been blocked immediately. Clearly they thought there was a RG or AML problem, but happily took that money, and tempted the OP to spend more of his 'stolen money' or 'money he couldn't afford' by sending texts offering bonuses, AFTER they apparently had concerns.

Leaving account open, accepting deposits but not withdrawals is pretty much what they are allowed to do when carrying CDD measures, below is from "MGA Implementing Procedures". After 30 days if requested documents are not received or can't be approved licensee should terminate relationship.

"In carrying out the CDD measures, customers may be allowed to continue using their gaming account while the licensee obtains any necessary information from the customer concerned. However, until such time as the licensee obtains the necessary information and documentation from the customer to meet its CDD obligations, the customer is not to be allowed to effect any withdrawals from the account independently of the amount involved. "
 

Slottery

Senior Member
PABnoaccred
MM
Joined
Aug 21, 2017
Location
Malta
And since this morning I've just received another ridiculous "can't discuss due to GDPR" excuse from a major operator in response to a player's PAB I think today is the day to start that "GDPR Abusers" list I've been thinking of here at Casinomeister. I'll post a link here when that is live.

If player is asking help from ADR service like PAB here and give you permission to all information, how's that actually violating GDPR in their replies?
 

maxd

Complaints (PAB) Manager
Staff member
Joined
Jan 20, 2004
Location
Saltirelandia
If player is asking help from ADR service like PAB here and give you permission to all information, how's that actually violating GDPR in their replies?

In almost all cases no justification for their refusal to cooperate is given beyond a generic and hand-wavey statement like "data protection requirements" or "player data protection".

In practice the people receiving and handling the PABs are fairly far removed from the operator's legal department and it is typically the legal department that gives the marching orders related to the GDPR and complaints resolution.

In other words the Support people handling complaints are given a blanket statement from Legal and that is what they parrot usually without a clue whether it is relevant, applicable, justified or even legitimate.
 
Last edited:

Slottery

Senior Member
PABnoaccred
MM
Joined
Aug 21, 2017
Location
Malta
In other words the Support people handling complaints are given a blanket statement from Legal and that is what they parrot whether they have any clue that it is relevant, applicable, justified or even legitimate.

Pretty much same like these SOW and other processes like we see here, legal/compliance team provide very blanket statement about regulations, AML laws and directives etc... but none haven't from request specified anything further to help understand which particular sentence in some law/directive made them to decide to request XYZ.

Like posted earlier, if some casino would like to open up where their decision are based, it could make it easier to accept and understand if these laws/regulations/directives are really demanding such extended requests and if not, then everybody can have their own opinion if these really are needed to fill obligations or not. These all are public documents available for all, so pointing few sentences from there why something is done, would make it much more transparent at least, different story again how many after reading it agree that some demands are not way over they means.

When doing risk assessment, of course it's always up for instance who is doing it how high risk something is categorized and with that we have to live, but would make it clearer what is counted to cause that high risk, is it one or two hundred euro bank transfers from your friends/family etc... or some 50k€ from private person without any information, these both in many casinos (not specifying Casumo here) are dealt with exact same requests to trace source of these funds, even one transaction which is not your salary can lead for these nice requests for explanation where and from who this 50 euros came from (yes, it can be from criminal source but it's to operator to decide how high risk that one transaction is causing to them).
 

Lobo

Repeated violations of rule 1.18 - being a PITA
PABnoaccred2
Joined
Apr 21, 2018
Location
Scandinavia
The big guns are entering the thread. Lobo likes =)

Excellent research @ternur !

In my case, the amounts transferred to me were between € 200 and € 600 in August (the only period they required bank statements). 4 or 5 transfers from other people.
If you compare that to the total amount transferred to Casumo in 3 years then it is well under 1%.

If I had somehow managed to get handwritten statements and a copy of the ID of the people who had transferred money to me in August ... no way Casumo would be satisfied. I'm sure this would just be the beginning... probably demanding bankstatements from the 3rd parties as well (as you say, @ternur ) - and then started on July, June etc...
Just speculations but they for sure wanted to get rid of me. No doubt in that.
 

Slottery

Senior Member
PABnoaccred
MM
Joined
Aug 21, 2017
Location
Malta
If I had somehow managed to get handwritten statements and a copy of the ID of the people who had transferred money to me in August ... no way Casumo would be satisfied. I'm sure this would just be the beginning... probably demanding bankstatements from the 3rd parties as well

Why not, if they only requested their ID:s :) Of course signed letter "Money i have transferred to Luckylobo is amount i have borrowed from him and paying it back now and i also hereby confirm that i have not completed any illegal activites" anything more wasn't asked than only picture of ID:s...

Then of course they would have identity of these persons to see if they are in any PEP or sanction lists, but don't guess many operators do these scans of 3rd party persons who are not their customers. For some it can sounds bit nonsense to start to now ask some 3rd party ID:s to find out if that small amount compare to your deposits has AML concerns or not if it really is just small drop of your deposits within time your statement was requested to show all transactions but maybe just these transactions were found to be relevant, no matter if your salary or other incomes can support your spending, as long you can provde ID:s of your friends who have transferred money to your account.
 

Lobo

Repeated violations of rule 1.18 - being a PITA
PABnoaccred2
Joined
Apr 21, 2018
Location
Scandinavia
I actually told one of the person who had sent me money what was happening, and that Casumo asked for a statement and his ID. He just laughed and said "Sorry, you must be crazy". After that I knew this was an impossible task to fulfill :/
 
Top