Whether we like it or not, AI is here to stay, but companies using the tech to achieve compliance and KYC tasks need to place one factor above all else – transparency, to both customers and to authorities.
AI has presented countless business use cases, and for those in betting and gaming the technology’s application to KYC, anti-money laundering, fraud prevention and responsible gambling (RG) functions are the most obvious examples.
Getting customers to trust what you’re using AI for is another matter, however, and not just because of the proliferation of ‘AI slop’ in social media. People know their data can be collected by bots for marketing purposes, and while GDPR – and good practice – prevents operators from doing this, transparency is still key.
Speaking during Payment Expert’s Digital Day on 15 April, panellists from across the iGaming industry gave their view on AI’s role in compliance.
“I think this is a big one, and it’s probably where people often get uncomfortable,” said Scott Burrows, Head of Compliance at multinational bookmaker SuperBet.
“Just because we can use the data, it doesn’t mean we can repurpose it. Let’s maybe take a step back from using the RG risk scores themselves but let’s look at, you know, the data markers that AI is going to look at to pick out a high risk gambler.
“It’s also going to be the same data it uses to pick out who’s potentially a VIP, who’s applicable for bonuses, and that’s where the data becomes useful for marketing.
“I would certainly hope that no marketing team is saying ‘give me all of your risk score data’. What they’re probably saying is, ‘give me the data behind that risk score, because we can use it in a different way’.”
Burrows’ fellow panellists, Miguel Luis, the Head of Compliance of Portuguese-focused bookmaker LeBull, and Myriah Abela, Data Protection Officer and Lead Data Privacy Officer at multinational gaming firm Betsson Group, took a similar view.
In Abela’s case, Betssons’ representative asserted that “companies definitely need to be cautious about reusing AML for responsible gaming data for marketing because of this risk of function creep, which can undermine the trust of the customer”.
Explaining yourself
Customers need to make sure they can trust the operator with the data processed during a transaction – that’s something of stating the obvious. But on the topic of trust, can we ever really trust AI? And can we trust the regulations around it?
AI is a constantly developing technology. It is one that is evolving so constantly, in fact, that it may be hard for many compliance teams and payments specialists in the iGaming space to keep up with both the tech and the regulations governing it.
“You need to have proper checks on the analysis that the AI does and the outputs especially,” said LeBull’s Luis. “You need to keep checking, and the AI may be analysing this data set or this flow, but there needs to be someone there checking sporadically.
“Is it still flowing as it should be? Is there some outlier data? Is it taking into consideration all the different flows and nuances and data points that it needs to look into?
“Because fraud is always evolving, we need to keep pace with it. If it changes pattern we cannot just be sitting there waiting for AI to magically figure out that there was a change in pattern that it needs to identify.”
AI’s evolution has been noted by authorities too – again, to somewhat state the obvious.
The EU AI Act came into effect on 1 August 2024. Although some provisions are still being implemented due within a 36 month time frame, the Act has established a framework of hefty penalties for non-compliant companies – betting operators included.
Other jurisdictions, like the UK, have not yet adopted any AI regulation, however. This leaves companies with a patchwork of different regulatory regimes and relevant authorities to navigate, although GDPR is consistently important.
“When it comes to AI, we don’t have one single regulator in charge, but we talk to different regulators,” said Alexandra Koerner, Chief Legal and Compliance Officer at Grand Casino Baden, one of the biggest casinos in Switzerland.
“You have the data protection authorities, we have the gaming regulator. We have other regulatory bodies, national ones, EU wide ones when it comes to the Digital Services Services Act, etc.
“You need to know in what field you move yourself, and then to whom you have to talk to.”
So, with all this to consider, how should betting firms – and other companies with rigorous KYC and payments policies and requirements to adhere to – treat AI?
The panels answer – like any other employee. As Luis put: “It’s your employee. You, the operator, hire them.”
He added: “If indeed you can prove that the AI didn’t work according to the standards or to the model that you gave them, you’re very much still liable towards the player, and you’re still liable towards the regulator.”
