Regulating a Cashless Casino
With early models of cashless casinos proving popular, Jennifer Carleton outlines a regulatory model for rollout
Since 2020, casinos have started moving away from a reliance on cash. In the U.S., roughly 50 casinos have implemented some form of cashless technology, including commercial operators in Mississippi and Tribal casinos in Connecticut, Florida, Oklahoma and California. As the interest in cashless gaming has risen, so has the need to update gaming regulations.
Studies by the American Gaming Association have shown that 87 percent of high-visitation, high-value customers would like to use some type of cashless gaming system. As cashless gaming continues to gain acceptance by casinos and popularity among patrons, gaming regulations will have to be refined and updated to provide an optimal customer experience.
A “cashless system” is generally characterized as a system where a player maintains an electronic account on a casino database. Beyond that, the criteria for establishing a cashless casino system varies in each jurisdiction. Some of the key regulatory concerns are outlined below.
In a cash-based system, a patron can remain relatively anonymous (unless he or she hits a jackpot, is issued a marker or uses a player’s card). In a cashless environment, that anonymity is limited. When developing a set of cashless wagering regulations, the first necessary consideration for any gaming agency is whether the wagering requires the patron to be registered with the casino.
If a cashless system is account based, the patron will not be anonymous. Most cashless wagering regulations require some form of account to be established in order for a player to gamble without cash at a casino. The minimum requirements for establishing a cashless wagering account are typically the patron’s name, date of birth, physical address and social security number (if a U.S. citizen). Once an account has been established, the operator will assign a customer or patron ID “reasonably designed to prevent the unauthorized access to, or use of, the wagering account by any person other than the patron or patrons for whom the wagering account is established.” Some jurisdictions allow for multiple patrons on a single cashless wagering account, provided that each individual registers with the operator.
Most states require that an individual confirm their identity before establishing or funding a cashless wagering account. In Nevada, a patron can visit a casino cage in person and present a valid government issued picture ID to establish or fund a cashless wagering account. If the patron wants to set up their cashless wagering account remotely, the operator must (1) validate the player’s government issued picture identification and (2) perform an identity verification in order to form a reasonable belief that the true identity of the patron is known. Nevada requires this two-step verification process to ensure that the individual attempting to use the cashless wagering account is the person that established the account.
The first step of the verification is establishing the authenticity of the individual’s ID, which can be done by comparing the ID to an electronic library of ID specifications and associated security features as well as by comparing the data obtained from the ID via optical character recognition to the data embedded in the two-dimensional bar code on the back of the ID. Some states only require this first verification step and do not necessitate that the identity of the individual accessing the account is separately validated.
The verification of the identity of the individual and not just the validity of the ID is a requirement in most states that have cashless wagering, although the method for performing this second step can vary. Some states allow for biometrics or a “selfie” to authenticate the identity of the individual accessing a cashless wagering account. In Nevada, a selfie is insufficient for an operator to establish a reasonable belief of the patron’s identity. ID verification can be completed when the operator remotely validates that the picture on the ID matches the selfie and the operator performs Know Your Customer (“KYC”) analysis of the data provided (name, address, date of birth and social security number) against its identity databases to determine if the data provided matches. If some portion of the KYC is a partial match only, the operator can also use a Knowledge Based Authentication (“KBA”) process in which the patron is presented multiple-choice questions regarding the individual’s personal history. All questions presented are non-credit based and are formed using proprietary data.
In summary, a robust account authentication system consists of 1) validating something the patron has (such as a valid government ID); 2) validating something the patron knows (like responses to enrollment questions and KBA), and 3) validating something they are (using KYC and KBA).
Evidence of Identity
The Financial Crimes Enforcement Network (“FinCEN”) requires casinos to “examine” a document to verify the name and address of their customers.
Verification of the identity of an individual who indicates that he or she is a non-US resident must be made by passport, alien identification card, or other official document evidencing nationality or residence (e.g., a Provincial driver’s license with indication of home address). Verification of identity in any other case shall be made by examination of a document, other than a bank signature card, that is normally acceptable within the banking community as a means of identification when cashing checks for non-depositors (e.g., a driver’s license or credit card).
FinCEN regulations and guidance applicable to casinos do not clarify whether the examination of a document must be in-person. F inCEN’s guidance dated October 1 9, 2 021 ( the “Guidance”) excepts casinos from the requirement of in-person verification in the context of online gaming; i.e., casinos have the option to use non-documentary methods to verify identity for online gaming. This Guidance implies that remote examination of a document is acceptable in the online gaming context but does not specifically address remote examination of a document for in-person cashless gaming.
Several states permit casinos to remotely examine a document for in-person gaming, and FinCEN has not objected to any such practice in those states. For instance, the Colorado Department of Revenue notified casinos in 2019 of the Colorado governor’s policy statement permitting the use of digital personal identification technology and the potential implications of this policy statement for gaming (including in-person gaming). This policy statement provides that “merchants may start accepting Colorado Digital ID for proof of identity and age within Colorado on October 30, 2019” and “[t]he Colorado Digital ID . . . is valid for acceptance anywhere age or identity verification is required.” FinCEN has not stated that a casino’s examination of a Colorado Digital ID for identity verification purposes does not constitute the “examination of a document” under applicable FinCEN regulations.
Additionally, FinCEN regulations require casinos to maintain a record of each customer’s name, permanent address, and social security number, and permit digital storage of such information.8 Given that FinCEN permits digital storage of the information a casino collects, it follows that the collection and examination of such information may also occur digitally and is consistent with FinCEN regulations and its Guidance.
FinCEN recognized non-documentary means of identity verification (such as knowledge-based systems, databases and checking references with financial institutions) can provide more comprehensive verification than traditional documentary methods (like government issued IDs), are less likely to be altered or forged, and may provide a better “overall [customer] risk assessment”. As a McKinsey report from seven years ago noted:
As the rules become ever more complex and the consequences of non-compliance ever more severe, banks will likely have no choice but to eliminate human interventions as much as possible in risk’s dealings with customers and to hardwire the right behaviors into their products, services, and processes.
After a customer establishes a cashless wagering account with an operator, the customer can fund that account in a variety of ways, including:
1. ACH/eCheck. An eCheck deposit drafts an electronic check from a player’s bank account and sends it through Automated Clearing House for processing.
2. Debit Card. A debit card used by a player will have a Bank Identification Number (BIN) number, which is the first 4-6 numbers on a payment card that identifies the Network (Visa, Mastercard, etc.) and the card issuer (or financial institution at which the bank account exists).
3. Credit Card. A credit card also uses a BIN number that identifies the Network and the card issuer.
4. Prepaid Card. A prepaid card used by a player will also have a BIN number indicating that it is a prepaid card and identifying the Network and card issuer. In this regard there is no difference between a Prepaid Card and a Debit Card. In fact, all debit is simply a form or subset of prepaid access since it denotes that the money in that bank account is the money which can be spent or used, and no more. FinCEN formally defines two types of prepaid cards, reloadable (Open Loop Prepaid Access) and non-reloadable (Closed Loop Prepaid Access):
(a) Reloadable Prepaid Cards. A reloadable prepaid card is a multi-use card. It allows a player to establish an account (after going through the bank’s required Customer Identification Program or “CIP” process) with the bank/financial institution and load the bank account with funds more than once. This type of account may also permit ATM transactions. Aside from back-end banking minutiae, a reloadable prepaid card functions in the exact same way as a debit card.
(b) Non-reloadable Prepaid Cards. A non-reloadable prepaid card is a single or multi use card with a low dollar threshold (generally under $200 and often much lower), no ATM transactions, and most importantly no ability to add funds again. These cards, while issued by a bank, do not require CIP. The term “gift card” is sometimes used to mean a non-reloadable prepaid card, although that term does not have a specific banking definition.
5. Digital Wallet. A digital wallet is an application that allows a player to store a payment method, including a bank account, debit card, credit card or prepaid card. A digital wallet can also include credits based on returns or volume.
To further responsible gaming initiatives, some states have limited funding methods by restricting the use of credit cards and have considered restrictions on player activity funded with joint accounts. There are also restrictions on the use of “gift cards” and “prepaid cards” in some states, although those terms are not always aligned with FinCEN terminology.
A funding transaction typically comprises five parties: the card holder (the individual patron), the issuing bank (the financial institution that has issued the debit or credit card to the patron), the card network, the card acquirer (the processor of the transaction), and the merchant (the casino).
When a card holder attempts to fund a transaction, there are several pieces of information that are passed along to an acquirer that enables it to determine whether to accept the transaction. When a card holder attempts a transaction using either a debit or credit card, the card holder inputs the 16-digit card number associated with that card.
The 16-digit number will indicate various pieces of information including over which network the card was run, whether the card is a debit or credit transaction, and additional information about the patron’s account. What this number does not include is information that would allow an acquirer to determine if an account is held by a sole person or multiple individuals. That information is only held by the card holder on one end of the transaction and the issuing bank at the other end. The other actors within the payments chain cannot make a determination as to whether the account is a single or joint account and how many people are authorized to use it, only whether the individual attempting to use the account is authorized to do so.
When a cardholder attempts to deposit funds with a debit or credit card, the acquirer is the first to receive information about the proposed transaction. The acquirer communicates with the issuing bank regarding the cardholder’s attempted deposit. The acquirer ensures that there are available funds in the account for a debit account or available credit should a deposit be issued by a credit card transaction. The acquirer may also conduct an address verification check to ensure that the customer is an authorized account holder. However, there is no current verification method available for an acquirer to confirm that there is only one authorized account holder.
For transactions that enable a customer to utilize their bank account to deposit funds into their wagering account via a check that is processed by an automated clearing house (ACH), similar information would be shared between the issuing bank and the acquirer processing the transaction. Like the card process, the exchange of information to facilitate the transaction does not include any details regarding the ownership of the account – whether sole or joint ownership.
The utilization of non-reloadable prepaid cards or credit cards as a primary method to fund account wagering can be tracked and blocked using the BIN associated with the payment method. However, it is virtually impossible to track and block the utilization of such cards as a secondary or tertiary funding method.
Casinos are often the final environment in which consumers are required to use cash to fund their purchases. The AGA data quoted above and the success of proof of concept early adopters shows a latent demand for a cashless casino experience.
With appropriate regulation of patron identity and source of funds, a cashless environment can be more secure and provide better visibility of fraud and/or problem gambling. For regulators, cashless casinos may thus better achieve their goals of protecting patrons. Early indications suggest that patrons quickly accept cashless casinos and operators benefit from increased customer spend, reduced costs of cash handling and greater customer loyalty. As a genuine benefit to both customers, operators and regulators, their deployment is likely to become the norm.