Legislators impose particularly strict security requirements on online gambling casinos and providers of sports bets – with good reason: First of all, the operator must be certain that the person sitting at the screen is actually the person who registered for the gambling service. A simple password query does not provide sufficient security here because unauthorised persons – such as children living in the same household – can also easily use it to gain access. Secondly, gambling providers must create a dedicated gambling account for each customer. Since regular incoming and outgoing payments are made here in the same way as a bank account, access must be protected to a similar degree. However, these measures also pay off for the providers: Firstly, a CIAM (customer identity and access management) system makes it possible to meet all statutory requirements regarding identity verification. Secondly, CIAM can be used to collect and evaluate important data about customer preferences, allowing individual offers to be made to every player. Since this requires explicit consent on the part of the customer in the CIAM system, the access and customer management functions also keep these procedures compliant with data protection.
Following the introduction of the new State Treaty on Gaming on 1 July 2021, German legislators have also re-regulated online gambling. This new treaty allows companies from Germany and other EU states to acquire licences to offer legal gambling services here – provided that they adhere to a series of rules that aim, above all, to protect players. These include a monthly deposit limit of 1,000 euros, the restriction of bets, mandatory breaks between individual game rounds, and a central blocking list to which customers who play excessively can sign up voluntarily and block themselves for all gambling offers, including online casinos and sports bets.
Recently, the British Gambling Commission also attracted attention in spring 2021 when it introduced stricter safety measures in the area of online gambling, which have been in effect in the UK since October 2021. The measures introduced by the government supervisory authority aim to reduce the playing intensity of online casino games and increase security for players while also giving them control over the games. To this end, the new measures focus on two key areas. First of all, the following four main features of online slots games will be banned in the future: features that speed up play, autoplay functions, gaming machines with slot speeds faster than 2.5 seconds, and sounds and imagery that give the illusion of a win and do not correspond with actual outcomes. In addition, a permanent ban has been introduced on reverse withdrawals for all online gambling. That feature ultimately induced players to re-gamble money they had previously requested to withdraw. With these measures, the Gambling Commission is continuing the review of its gambling legislation to make online gambling fairer and safer for all participants.
The implementation of these regulations in Germany is likely to steadily shrink the market share held by illegal providers in the coming years. This means that companies that rely on legal gambling can take advantage of growth opportunities if they evolve their product palette accordingly and offer a good user experience to attract players. It’s an effort that pays dividends – in 2017 alone, gross gaming revenues worldwide from online gambling ultimately amounted to some 42 billion euros, and roughly 1.8 billion euros for online casinos licensed in Germany.
CIAM as a safety factor
As a basis for a good user experience in online gambling, even the login procedure of a CIAM system differs from obsolete approaches such as password queries. Since identities are checked with the help of biometric factors such as face IDs or fingerprints, the login process is completed within seconds. Typing in passwords is a thing of the past, which increases user convenience significantly. At the same time, the combination of biometric identification and strong cryptography based on the FIDO2 (Fast IDentity Online) standard meets all current security requirements.
The fact that querying biometric data now represents the ultimate in viable security processes is largely due to the rapid evolution of the sensors fitted to desktop and mobile devices. Years ago, face recognition systems, for example, could be deceived with a photograph of an authorised user. Teething troubles such as these are now very much a thing of the past because processes such as Apple’s FaceID incorporate the three-dimensional structure of the human face into their calculations. At the same time, algorithms can also reliably recognise a person who is wearing glasses, has a new hairstyle or is using their mobile device in bad lighting conditions.
The FIDO2 process uses this biometric data to authenticate the user without having to transmit the data to a server; at no point in time do the data leave the mobile device on which they are stored in a hermetically shielded memory area. The typical methods of attack used by cybercriminals seeking to access third-party accounts – for instance, using stolen passwords or phishing attacks – are thwarted by a CIAM system that deploys this type of identity check. An extra layer of security is provided by the continuous monitoring of behavioural biometrics such as typing behaviour. If noticeable deviations are detected, the CIAM system requests additional verification from the user, changes the authentication process or blocks the session entirely.
User administration in CIAM
As a control centre for user administration, the CIAM system provides customer information in all required systems. In practice, it works like this: When a person registers for the first time, the CIAM system creates an account as part of the registration process. A data interface forwards the information collected, such as the name, address and contact details, to perform a function such as opening an account in a CRM system like Salesforce. CIAM systems offer a flexible, event-controlled system for this purpose that can replicate any customer information in third-party systems. This could also include running a check on a block database, for example, to filter out persons who are voluntarily blocked from gambling offers and prevent the creation of the account.
The user administration in CIAM follows the rules of data minimisation as set out in the EU General Data Protection Regulation (GDPR), meaning that users are only obliged to provide the information that is necessary for the provision of a service. For gambling, this includes not only the name, address and payment details but also verification that the player is of legal age. This can be provided, for example, by an identity check based on video identification. The collection and processing of any additional data in the CIAM system require the user’s consent, which must be obtained separately by means of checkboxes or push buttons. Experience shows that many users are willing to give this consent if it is linked with greater convenience, such as a more personalised gaming experience. This makes CIAM the focal point for legally compliant and effective customer retention.