Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content

Consultation response

Changes to the licence conditions and codes of practice on age and identity verification for remote gambling

A summary of the responses to our consultations on changes to LCCP on age and identity verification for remote gambling.

Summary of responses – identity verification

Consultation proposal - new licence condition concerning verification of customer identity – applying to all remote betting, gaming and lottery operators (except any lottery licence the holder of which only provides facilities for participation in low frequency1 and subscription lotteries)

As the proposed new provision aims to support all three of the licensing objectives, we considered it appropriate to deliver the requirement via a general licence condition rather than a social responsibility code.

The following questions sought to obtain views on the new proposed condition, including views on the proposal for requiring licensees to match the name associated with a payment method to the name of the account holder.

Consultation question 13:

Do you agree that remote licensees should verify, as a minimum, the name, address, date of birth and email address of their customers before they are permitted to gamble?

Respondents’ views

The majority of consumers agreed with the proposal, as long as verifying these data points would prevent licensees from using identity verification as a reason to delay the withdrawal of funds. Other consumers agreed and asked that all verification was done up front and that licensees clearly specified what other details they would need.

Some other consumers also said they would support bank or affordability checks, to help operators identify problem gambling. Others thought the proposal would lead to better identification of duplicate accounts, thus leaving only genuine ones.

Licensees were generally in favour of verifying name, address and date of birth (and noted that these data points are generally accessible at the same time as attempts to verify age). However, licensees were almost unanimous that verifying an email address was unhelpful in verifying a customer’s identity. They argued that no service currently exists to comprehensively verify emails, and it would therefore be a disproportionate burden to business given the limited regulatory benefit.

A couple of licensees disagreed with the proposal and instead argued that identity should only be verified on a risk-sensitive basis.

Our position:

We intend to introduce the licence condition to require licensees to verify the name, address and date of birth of their customers. We are however persuaded by the arguments that email addresses are not helpful for verifying an individual’s identity. We note licensees’ concerns that email addresses can be deleted with ease, that a customer can create a new email address or communicate from several addresses, and that independent verification of an email address is difficult. As email verification is unlikely to be sufficiently reliable in establishing the identity of an individual gambler, we will not include a requirement to obtain and verify email.

However, SR Code 3.5.3 requires licensees to take all reasonable steps to prevent a self-excluded customer from gambling, and obtaining an email address from the customer will normally be an essential component of meeting this requirement. Further, licensees are reminded that obtaining (but not verifying) email addresses is essential for Gamstop (opens in new tab), the online multi-operator self-exclusion scheme, to operate. More generally, the ID verification undertaken by licensees before allowing customers to gamble would need to be sufficient to enable Gamstop, and licensees’ own self-exclusion schemes, to be effective (ie someone shouldn’t be able to gamble until their identity has been established by the licensee).

We are not satisfied that basic identity verification should only be left to the discretion of licensees on a risk-sensitive basis. We outlined in our Online Review and in the consultation – and with reference to the enforcement cases we have undertaken – that some remote licensees are not currently doing enough to verify the basic identity details of their customers, and that this was exacerbating risks to the licensing objectives. It is therefore important to introduce these minimum requirements for verification to mitigate risks where some licensees have been unable to do so.

Consultation question 14:

Do you agree that licensees should obtain and verify any further information they might require (in particular, information to enable customers to withdraw funds promptly from their accounts, or to enable multiple accounts to be related to one another) before permitting customers to gamble, and where practicable to do so?

Respondents’ views

Many consumers backed the proposals to obtain further information before permitting gambling. Some approved only as long as the proposal would prevent delays to withdrawing account funds, and that licensees were required to be more transparent. There was strong support for requiring licensees to complete all verification checks at account opening, and some suggested that licensees incorporate affordability or problem gambling checks and limit setting.

Of those consumers against the proposal, the main concerns mentioned were that there should be limits on what documents are requested by licensees, and that the verification of name, address and date of birth at account opening should be sufficient. There was also concern that any information would be misused to delay withdrawals.

Licensees were generally against this aspect of the proposed licence condition, advising that they request additional information from customers only when it is necessary, and that requesting information which may never be needed is contrary to data protection laws. Other licensees noted that although there should not be a delay to withdrawing funds, there needs to be due consideration of the checks needed to identify multiple accounts, the need for enhanced customer due diligence (EDD), and source of funds (anti-money laundering (AML) and proceeds of crime (POCA) checks, and that if further information is requested it may lead to customers gambling elsewhere.

Several licensees appeared to think that the purpose of paragraph 2 of the condition was to require them to bring forward all customer checks to the point of on-boarding – essentially, that the Commission was requiring enhanced customer due diligence before gambling, and at the point of account registration. This appears to have been a misinterpretation of the words “any other information” in the draft condition, and that this could mean anything the licensee could need to obtain on a customer.

Our position:

The original draft of paragraph 2 that appeared in the consultation was as follows:
“If a licensee requires any further information about a customer, including (but not restricted to) circumstances where further information would be required in order to:
a) allow a customer to promptly withdraw funds from their account on request (provided there are no other legal obligations which prevent withdrawal); or
b) enable a licensee to relate each of a customer’s accounts to each of the others, where the licensee allows customers to hold more than one account with them (and, where relevant, to enable the licensee to relate accounts held with other companies in the group company), such information must, where practicable, be obtained and verified before the customer is permitted to gamble”

We acknowledge that several licensees appear to have interpreted “any further information” as a requirement effectively to have undertaken all enhanced due diligence measures before a business relationship with a customer commences, notwithstanding duties to conduct ongoing monitoring.

In drafting paragraph 2 above we were primarily trying to ensure that customers are not unfairly inconvenienced by licensees requiring further information from them, as a condition of withdrawal, only at the point they ask to withdraw funds from their account and when the licensee could reasonably have requested that information earlier.

We think it is essential for LCCP to reflect our original intention, particularly given the very high levels of consumer concern about unfair withdrawal practices. Due to the misunderstanding among licensees, we have re-drafted paragraph 2 to make it more explicit about what we are trying to achieve. We will replace the above draft of paragraph 2 with the text below in the licence condition:
“A request made by a customer to withdraw funds from their account must not result in a requirement for additional information to be supplied as a condition of withdrawal if the licensee could have reasonably requested that information earlier. This requirement does not prevent a licensee from seeking information on the customer which they must obtain at that time due to any other legal obligation”.

“Additional information” means anything in addition to information required to verify the name, address and date of birth of the customer, as required by the preceding paragraph in the condition.

The key outcome of paragraph 2 as re-drafted is that licensees ask their customers for any additional information promptly where they have identified a need for additional information based on their risk assessment, and that such additional information should not be requested solely at the point of withdrawal. This is consistent with AML regulations and our published guidance on AML and POCA which require ongoing monitoring of customer relationships and that risks are considered by the licensee at all stages of the relationship.

For clarity, licensees should on an ongoing basis be identifying whether it is necessary to obtain additional information from the customer. It may be necessary to verify information at the outset of a relationship. Conversely, the need for information may sometimes only be identified later in a relationship, for example in response to identified transactional patterns. In any case, where that need has been identified, the information should then be requested promptly. By way of contrast, it would be inconsistent with our requirements to, for example, permit a customer to continue to gamble until (and if) they try to withdraw funds without any inquiry into the risks of criminality until that point, despite the fact that such risks were evident earlier in the customer’s gambling history

From a compliance point of view, we will explore on a case-by-case basis whether a licensee could or could not reasonably have requested information earlier, in the specific circumstances. Licensees would not be expected to ask for all enhanced due diligence information which might possibly be needed before a relationship begins. “…..reasonably requested that information earlier” refers to the ongoing business relationship and the need to ask for information on a risk-sensitive basis, for example as per the duties under AML.

“At that time” refers to the time that the withdrawal request is made. A licensee would not be able to rely on “this requirement does not prevent … any other legal obligation” where information could reasonably have been requested earlier. But this provision does acknowledge that there will be circumstances where an identifiable risk (for instance relating to money laundering) only emerges later in the relationship, or for example where another enforcement body requires the licensee to terminate transactions with the customer subject to information being verified.

In reviewing the original draft of paragraph 2, we no longer consider it necessary for the condition to make any reference to “enable a licensee to relate each of a customer’s accounts to each of the others…” as appeared in the original draft. This is because existing Social Responsibility Code 3.9.1 already covers this expectation. As SR Code 3.9.1 requires a licensee to have policies and procedures in place to identity multiple accounts held by the same customer, these procedures might in any case necessitate the licensee making prompt requests for information in order to achieve this.

Consultation question 15:

Do you agree that licensees should be able to provide assurance to the Commission that they have verified the identity of all of their existing customers?

Respondents’ views

Some respondents approved of assurances being reported to the Commission. Of those in favour, some were of the view that licensees should re-verify all active customers when the changes come in. Others suggested that the wording of the condition should be changed to include ‘at the point that the account is created’.

Most licensees thought it would be wholly disproportionate to require them to verify inactive (dormant) accounts as this would be very costly and resource intensive. Others noted that proactively verifying all active accounts would be similarly costly. Some licensees suggested that they should keep their systems under review on a risk basis but did not agree that it should be a mandatory requirement to verify existing customers.

Other licensees advised that assurance on identity verification could be given for all new and existing active customers, but that it would not be appropriate for the Commission to require accounts to be frozen until the latter type had been verified.

Our position:

We agree that there is very little benefit, in terms of the licensing objectives, in verifying inactive customers who may not conduct any further gambling activity with the licensee. We also acknowledge that it would be disproportionate to require licensees to have verified all their active customers in advance of the changes to LCCP taking effect.

However, from the point the LCCP changes take effect on 7 May 2019, where a licensee has not yet verified the name, address or date of birth of any existing customer, they will be expected to do so before that customer next gambles with them. This will be necessary to meet the requirement of the condition that “licensees must obtain and verify information in order to establish the identity of a customer before that customer is permitted to gamble”.

Licensees should therefore be able to assure the Commission that each customer that has gambled with them since the condition came into effect (that is, since 7 May 2019) has been verified in accordance with the condition.

This approach avoids the need to distinguish between active and inactive customers, insofar as any inactive customer that reactivates their account by trying to gamble would become an active customer again and would need to be verified before gambling (if not already verified). Equally, any active customer whose account becomes dormant before the changes to LCCP take effect would not need to be verified until they reactivated.

Consultation question 16:

Do you agree that licensees should be required to verify that an account holder’s identity matches up with the name linked to the payment method they use (for example, that the name associated with a debit card matches the verified name of the gambling account holder)?

Consultation question 17:

Does the Commission need to consider introducing any other arrangements to address any practical issues arising from this proposal?

Consultation question 18:

For licensees: What barriers might licensees face in meeting the proposed requirement to verify that an account holder’s identity details match the payment method they use? What changes might they might need to make to their systems or contracts with third parties to be able to verify such information?

Respondents’ views

Questions 16, 17 and 18 all broadly covered the same subject matter, so we have aggregated the responses to these questions.

Many consumers supported a requirement for licensees to match an account name to the name on a payment method. Some licensees and third parties also supported the proposal on the basis that it would tackle crime and fraud.

However, most licensees opposed this proposal on the basis that complying with the requirement is not currently possible. In short, they stressed that the cardholder’s name is not verified during a card transaction process. Some third-party solution providers, although agreeing with the principle of the proposal, also noted the current limitations that cardholder name is not verified during payment.

For Q17, some thought that the Commission should work with the payments industry and banking sector to better understand the issues involved and help inform our work going forward. Some suggested that customers should have to make a positive affirmation that the card they are registering belongs to them as the verified account holder.

Q18 was an open question for licensees. Responses to this question again noted the barriers to the proposed requirement, given that the card verification process does not support name matching. Others noted that increasingly strict privacy laws make it harder to obtain and retain identity details.

Some licensees noted that many payment methods do not require a payer’s name, such as prepaid cards and e-wallets, and queried how such payment methods could be verified effectively. Respondents suggested that the Commission facilitates discussions with relevant parties to ensure all information and options were available for licensees to review and assess.

Some consumers stated their concerns that problem gamblers may try to use cards fraudulently, and some presumed that there would already be standard checks by licensees in monitoring the names associated with payment methods.

Our position:

The purpose of this proposal was to reduce the risk of fraudulent card use for gambling, including where problem gamblers have used a family member’s card without consent. We note however the concerns raised by licensees and third parties, and we engaged with payment services experts as part of the consultation process to understand the challenges.

We understand that this proposal is not currently viable because the payer’s name is not verified during the payment authorisation process, and as such, no online retailer or merchant can access any verified cardholder name details from a payment transaction. Remote gambling licensees therefore cannot verify that the payer is the same person as the gambling account holder. Given these constraints, we do not intend to introduce this requirement into the new licence condition.

We note however that the second Payment Services Directive (PSD2) will provide more possibilities for merchants to have better assurance that a card is being used by the named cardholder during a transaction. Under the Directive, ‘Strong Customer Authentication’ (SCA) processes will require a customer to verify their identity for online purchases. This might involve anything from biometrics to stronger security question authentication. SCA processes will be rolled out over the coming year in readiness for when the regulations come into full force on 14 September 2019.

We understand from problem gamblers’ own testimonies that the use of ‘borrowed’ cards may be a prevalent issue, and from a harm prevention perspective we will continue to consider our policy approach. While our original consultation proposal is not technologically achievable at this stage, we will conduct further work in this area once PSD2 takes effect in order to understand the impact of the SCA controls and the levels of assurance around verification that they afford to online retailers.

In the meantime however, while we do not intend to introduce a provision into LCCP at this stage on payment/account name matching, licensees should still consider how they can use the information available to them to mitigate risks as part of their fraud prevention processes as online merchants.

For example, if a licensee requires its customers to input ‘cardholder name’ details as part of the payment journey then it could conduct basic in-house checks to query any circumstance where the cardholder name keyed in clearly does not match the name of the verified gambling account holder. This could help to flag the need for further checks on certain customers when they add additional payment cards.

Online merchants can of course be liable for any fraudulent card transactions, so in addition to any measures they take to minimise the risk of fraud (such as the use of an Address Verification System, requirement for the card security code, along with any verification measures provided by the issuing bank), licensees should consider how they can disrupt the payment journey – for their own benefit as well as protecting the licensing objectives - where they identify a heightened risk of unauthorised card use.

Consultation question 19:

Do you agree that the proposed condition on customer identity verification should apply to online lotteries (other than subscription and low frequency lotteries)?

Respondents’ views

Respondents strongly agreed with this proposal, and betting and gaming licensees were of the view that the condition should apply to all types of remote gambling. Some online lottery licensees stressed that society lotteries are low risk and this proposal could be a disproportionate burden on their sector.

The Lotteries Council and a lottery licensee asked us to clarify the wording for how the proposal on identity verification would be disapplied from low frequency and subscription lotteries.

Our position:

We intend to proceed with our original consultation proposal that the new condition on identity verification will apply to lotteries except subscription and low frequency lotteries (as defined in LCCP).

We acknowledge the concerns of the Lotteries Council about our wording of the application of the proposed condition. We will therefore clarify that the requirements will apply to all remote lotteries “except any lottery licence the holder of which only provides facilities for participation in low frequency or subscription lotteries….”

We continue to view subscription and low frequency lotteries as representing a lower risk to the licensing objectives, and as such it would be disproportionate to introduce the same levels of identity verification requirements to such licensees.

Consultation question 20:

For licensees: If possible, provide an estimate of the costs that might be incurred by your business through implementing the proposed condition. Such costs might include, for example, technological changes (including software development and associated staff time), familiarisation costs in terms of staff training, or other business impact costs. Please also provide details of one-off costs and any annual or ongoing costs from the proposals.

Respondents’ views

This was an open question for licensees. Consultation question 7 asked licensees to estimate costs incurred in respect of the proposed changes to SR Code 3.2.11 and most licensees who answered questions 7 and 20 provided aggregated estimates for the costs that would be incurred from both the changes to age verification and the proposed licence condition on identity verification. This was because the systemic and procedural changes necessary would be done simultaneously by the licensees to reflect both proposals.

As with the costs outlined in respect of question 7, therefore, projections varied significantly, with some licensees quoting figures in the tens of thousands and other figures being in the hundreds of thousands. Some argued in response to both questions that the risk of losing customers to unregulated markets due to delays in on-boarding could cost millions. Some licensees quoted on the basis that they would (whether voluntarily, or in misunderstanding of the proposal) pursue systemic changes based on verification at the point of registration rather than just verification before gambling.

Several licensees stated that the costs of verifying email addresses would be significantly greater than the costs of verifying the other data points proposed in the condition. One licensee stated that they would incur no additional costs as they already pursue verification to an extent that would comply with the proposals. Others advised that the most significant costs would be incurred if retrospective work is necessary for existing customers or, in particular, if it was necessary to verify the name associated with the payment method.

Our position:

Given the wide range of costs estimated by licensees in respect of age and identity verification, we also sought some estimates of costings from third-party identity verification solution providers. We have considered the costs estimated by licensees, totalling those projected for both age and identity verification, and taking account of our position that we no longer intend to require emails to be verified nor that the name associated with the payment method used to fund gambling be matched to the verified account holder.

We consider that the median of the costs estimated does not represent a disproportionate cost when set against the regulatory risk that these measures will address. We note that some licensees will be pursuing more robust and more expensive systemic changes that aim to verify their customers at the point of registration. We are required to assess the economic impact of our regulatory provisions that will require the verification of age before a customer can deposit or gamble, and the verification of identity before they can gamble, and we will submit a Business Impact Target (BIT) assessment to the Regulatory Policy Committee as per requirements under enterprise legislation.

Consultation question 21:

For licensees: How long a lead-in time would your business need to implement technical developments in order to deliver the requirements of the proposed condition?

Respondents’ views

Consultation question 8 asked licensees to estimate the lead-in time they would need in respect of the proposed changes to SR Code 3.2.11, and most licensees who answered questions 8 and 21 provided a total lead-in time to deliver changes on both age verification and the proposed licence condition on identity verification. This was because the systemic and procedural changes necessary would be done simultaneously by the licensees to reflect both proposals.

Some licensees advised that their systems already comply with the proposals, and they would not need any development time. Some licensees thought they would only need a few weeks, but licensees typically stated between 3 and 6 months to implement the changes. There were some outlier estimates of 9 to 12 months.

One licensee responded that they would need a minimum of twelve months to upgrade all existing active customers to the new levels of verification. Other licensees responded that it was not possible to answer this question at this point and that more information would be needed on the final proposals.

Our position:

We have considered the information from licensees around lead-in times but have also taken account of the arguments made by consumers around the need to deliver improvements to consumer protection and fairness.

We intend to proceed with implementation as soon as possible, meaning that the changes to LCCP will come into effect on 7 May 2019. In reaching this view we are mindful that licensees have been aware of our direction of travel on verification since our proposals were first outlined in our Online Review in March 2018, and that the remote sector has been subject to a number of enforcement cases (the outcomes of which have been publicised) where we have been clear in our expectations that the wider remote sector learns lessons from these cases. We therefore expect licensees to prioritise their resources to be able to comply with the new LCCP requirements.

Consultation question 22:

For licensees: Specifically, how long might it take you to implement any necessary changes to your systems to ensure that you can verify whether an account holder’s identity details match the payment method they use?

Respondents’ views

Several licensees gave varied lead-in time periods between 6 months and 12 months.

Other licensees responded that it was not possible to answer this question at this point as the service is currently not available or until there exists a suitable technical solution that will meet the proposed requirement.

Our position:

As outlined above under our position in respect of consultation questions 16, 17 and 18, we no longer propose to require licensees to verify that an account holder’s identity details match the payment method they use. We will conduct further work in this area as PSD2 is implemented, and we also expect licensees to consider how they can use information that is available to them to minimise the risks of fraud.

Consultation question 23:

Do you have any other views that you think the Commission should take account of as part of this consultation, and which are not covered specifically by any of the consultation questions previously?

Respondents’ views

A small number of consumers thought that verifying ID would be an invasion of their privacy, while some called for licensees to use a standard verification process with uniform ID.

One licensee noted that consideration needs to be given to emerging technologies such as geo-tagging. There was also a call from some licensees for the Commission to offer more guidance, especially on what forms of ID it considers acceptable. Some licensees were concerned that the proposed changes will negatively impact the customer experience, and it would add a delay to the registration process.

Our position:

Verification processes and outcomes

We do not intend to prescribe a uniform methodology for verification. Most licensees rely on third party providers such as credit reference agencies or identity management specialists for the sources of data necessary to verify identities. We understand that in some cases, the results from an initial check of third-party databases provide a licensee with certain confidence levels about the quality of an identity match, rather than a simple binary result as to whether or not identity has been verified. Licensees may therefore need to ask the third party to interrogate further data sources in order to achieve higher confidence levels. The verification process can therefore be nuanced and, as the data sources are not proprietary to licensees, prescribing a method of verification by the Commission would effectively require us to regulate or mandate the third-party solutions accessed by licensees, which would be inappropriate for us to do.

What we require is that the outcome of the verification process is that the licensee is satisfied that it has, as robustly as possible, established the identity of the customer, and that the licensee could demonstrate to the Commission what it has done to satisfy itself as to the verification of that person’s identity.

Identity verification should at least be robust enough to give the licensee assurance that the customer exists and that their name, address and date of birth all link to the individual. As we outlined in our Online Review, it is essential for a number of regulatory reasons that the identity of customers is verified before gambling. For example, verification before gambling would make the licensee better placed to identify where multiple accounts are held by the same individual. It would also make self-exclusion processes more effective by ensuring that a person registered with the multi-operator self-exclusion database is the same person whose identity has been verified by the licensee. More generally, verification before gambling will also make the licensee better equipped to identify and mitigate the risks of criminality and the risk of harm to the individual.

Where interrogation of databases fails to establish satisfactorily the identity of a customer, the licensee may have recourse to other electronic solutions or they may simply require the customer to provide them with identity documents such as a passport, driving licence or recent utility bill. Again, the Commission does not intend to prescribe a list of acceptable forms of ID because such lists may go out of date as new forms of government-issued ID documents come into being, or where other technological solutions entering the market are robust enough to verify identity by other means.

However, the licence condition will contain a requirement for remote licensees to inform their prospective customers as to what types of identity documents or other information the licensee may need the customer to provide, the circumstances in which such information might be required, and the form and manner in which such information should be provided. This information should be available to the customer before they deposit money, so that they have the choice of whether or not to proceed.

Where, for example, a licensee might require a prospective customer to provide notarised identity documents as part of the verification process, the licensee will therefore be required to be transparent to those prospective customers about the potential need for notarised ID before that individual goes on to deposit.

Disruption to customer on-boarding

We acknowledge that some licensees expressed concern about the delays to the customer sign-up process that may arise from the new requirements on verification. However, the responses received to our consultation from consumers strongly indicate that many would clearly prefer to experience any delay due to identity verification during the registration process than experience delays for the same reasons in the process of withdrawing funds.

New licence condition 17 - to take effect 7 May 2019

Customer identity verification

All remote licences (including ancillary remote betting licences in respect of bets made or accepted by telephone or email), except any lottery licence the holder of which only provides facilities for participation in low frequency2 or subscription lotteries, gaming machine technical, gambling software, host, ancillary remote casino, and ancillary remote bingo.

Licensees must obtain and verify information in order to establish the identity of a customer before that customer is permitted to gamble. Information must include, but is not restricted to, the customer’s name, address and date of birth.

A request made by a customer to withdraw funds from their account must not result in a requirement for additional information to be supplied as a condition of withdrawal if the licensee could have reasonably requested that information earlier. This requirement does not prevent a licensee from seeking information on the customer which they must obtain at that time due to any other legal obligation.

Before permitting a customer to deposit funds, licensees should inform customers what types of identity documents or other information the licensee may need the customer to provide, the circumstances in which such information might be required, and the form and manner in which such information should be provided.

Licensees must take reasonable steps to ensure that the information they hold on a customer’s identity remains accurate.

References

1 For the purpose of this condition, a ‘low frequency lottery’ is one of a series of separate lotteries promoted on behalf of the same non-commercial society or local authority, or as part of the same multiple society lottery scheme, in respect of which there is a period of at least two days between each lottery draw.

2 A ‘low frequency lottery’ is one of a series of separate lotteries promoted on behalf of the same non-commercial society or local authority, or as part of the same multiple society lottery scheme, in respect of which there is a period of at least two days between each lottery draw.

Previous section
AV CI consultation responses: Summary of responses – age verification
Next section
AV CI consultation responses: Additional call for information - mandatory account limits
Is this page useful?
Back to top