H2 trading saw all betting operators report tough and costly adjustment periods, complying with enforced KYC demands across multiple markets.
Rob Griffin CEO of MIRACL, developer of tailored ID provisions for highly regulated markets tells SBC that betting incumbents can clear their KYC hurdles by challenging out-of-date verification concepts and operating norms.
SBC: Hi Rob, thanks for this interview, you have launched ‘MIRACL Trust’ as a purpose-built authentication solution for betting incumbents – can you detail the development of this product from its conception through to its product development and launch?
Rob Griffin (CEO – MIRACL): Thanks SBC. It’s been a long road, which literally started with our team developing the raw maths of ground-breaking cryptography in academic papers 10 years ago. We then patented the technology and integrated it into the product that we’re now launching at Betting on Sports.
Our code is licenced by Intel, GCHQ and the US Air Force among others but I can honestly say that some of the security, fraud and regulatory challenges now faced by gaming operators are every bit as sophisticated, particularly when the end result needs to be all but invisible to the end-user.
Usernames and passwords have long been regarded as a weak solution for operators and users alike. In creating an alternative we wanted to address some big underlying problems that are inherent with existing security architecture- particularly for operators as they seek to meet ever more stringent regulation and combat fraud.
Even more important was the need for great user experience – simple and intuitive – as well as MIRACL Trust® having the low cost and flexibility needed to scale over large consumer applications. Combining all of those was a real challenge but with 7 patents and over £20m of R&D under our belt, we’re proud of what we have built.
SBC: Betting incumbents’ H1 2019 interim results have detailed that operators are finding it hard to meet new enforced KYC requirements, why do you feel has this has happened?
RG: I think there are really two reasons.
First, people typically think of KYC as being confined to the process of checking the integrity of a user’s identity documents and that they match who the user is claiming to be. However, that is really the easy part.
The real challenge is knowing at any moment in time who is accessing your service. Without that, adhering to your licence, providing safe gambling and combatting fraud are all impossible.
There are now over 3.5 billion credentials for sale on the dark web, available across just 4 databases. Hackers buy these to try and takeover accounts so that now just shy of 50% of attempted log-ins are fraudulent. The bottom line is that usernames and passwords no longer provide any value to knowing who is using your service and operators are taking time to realise that.
The second reason relates to betting being time-sensitive and often impulse led. Most authentication technologies on the market require so many additional steps that all the friction they create completely ruins the user experience and you lose the business. MIRACL has made big advances here because the entire authentication process never pulls users from where they can place a bet and authentication only requires one completely intuitive step.
Tight KYC management and the authentication of a player cannot be at the expense of slick user experience and I think that has been missing as an option for operators … until now.
SBC: Launching ‘MIRACL Trust’ you detail that you want betting incumbents to rethink out-dated structures with regards to customer verification… What exact dynamics are you seeking to challenge?
RG: The first perceived dynamic to challenge is that increased security and authentication measures need not result in a worse experience for their users. To date, that has been the dynamic because security architecture has all been based on the same cryptography so improvement simply meant adding another security layer. By contrast, MIRACL offers a whole new security architecture, not just another authentication layer.
Betting platforms and operators need to understand that the underlying security technology used to satisfy the regulatory and fraud requirement was never designed for the purpose. In fact, it was literally patented in the early 80s, 35 years before GDPR!
MIRACL has therefore developed new security architecture that not only gets rid of the nightmare of passwords but can securely authenticate a customer without either storing or sending any personal user data. That massively reduces the task of IT departments protecting your customers’ data and it really cuts the GDPR risk while adding to security. Crucially, the user experience is far superior too.
SBC: As a technology enterprise, MIRACL has established ID and compliance provisions within the financial services sector. What can betting incumbents learn from this highly regulated sector with regards to customer security frameworks?
RG: The increase in regulation that the financial services sector has experienced in the last years can no doubt provide some invaluable lessons for the gaming and gambling space. The good news is that I think gaming companies have shown themselves to be a lot more agile in adopting new technology than banks.
I also think there is a danger that just in the way the banking sector has been targeted for regulation by politicians seeking to ride public opinion, so the gaming sector may be increasingly in their sights.
As it is, gaming licence requirements are advancing at a serious pace, not just in the UK but worldwide. This is particularly the case in relation to safer gambling, which requires a detailed understanding of a gamer’s history and permitted activities.
At the same time, new regulations such as GDPR have really shifted the onus of responsibility on to operators of any consumer-facing apps or website. The consequences of failing either of these challenges are dire. Just in the last few months, we’ve seen £11m of fines from the UK Gambling Commission and £183m levied against British Airways.
I believe betting incumbents and the industry at large needs to get in front of this growing regulation and take the opportunity to lead in creating consumer-facing apps that are capable both of providing safe and secure gambling and really slick and fun user experience.
SBC: How do you see customer ID verification developing as an industry discipline, what challenges do incumbents face in the near future?
RG: The challenges of knowing exactly who is accessing your service is a hard one and there are a bunch of related issues platforms and operators need to think about.
First, the user registration needs to be speedy and effective. Speedy in the sense that there is no barrier to new customers being able to start playing. Effective because ID verification in a KYC process needs to be preserved by having a really strong authentication system.
Second, as I’ve mentioned, the security of customers’ authentication must not compromise the user’s experience. That means that they are intuitive and are universal to all platforms: – desktop, mobile and wearables so that users are never distracted from the more important task of placing a bet.
Third, I think GDPR is a big deal because the fines could really jeopardise an otherwise healthy business. So operators should be looking to use systems with what’s called a ‘Zero-Knowledge Proof’ so that they neither store or send personal data to get an authentication.
Fourth, as live streaming becomes part of sportsbook, operators are going to have to take responsibility for digital rights management otherwise costs could balloon if lots of people log in under one ID just so they can watch the football
Lastly, I can see the lure of crypto casinos because these allow anonymity for the users, which would make operators’ life easier but I think that is exactly the opposite direction to where the industry needs to go if it is serious about safe gambling and cleaning up the perception of online gaming.
SBC: Moving forward, what debate and discussion should industry leaders be confronting with regards to developing their compliance structures?
RG: It’s good to end on an easy question. For me, it’s clear, compliance structures need to start with a simple question: – do you 100% know who is accessing your service. If you don’t, any additions to your compliance process are like a castle built on sand.
The conclusion is clear. There is no way that username and passwords will allow you to be 100% sure of who is on the end of a connection so you will not be able to combat fraud or be confident of fulfilling regulatory or licence obligations.
So platforms and operators now need to reassess their secure authentication processes. When they do so, they need to prioritise the user experience, not just the security. Any solution that adds additional steps either at registration or when placing a bet is going to compromise the user experience and therefore sales. A good security and authentication system should be providing Player Account Management systems with the data to create a better experience. Instead, most just throw up one-time passcodes for users to re-enter and people hate that.
So in summary, invest in secure authentication so you know who is accessing your service but in doing so, don’t tolerate any compromise to user experience! It doesn’t need to be that way.
Rob Griffin – CEO – MIRACL