Level Up: Video Games and AML

0
222

Analyzing how the latest generation of console-based video games and smartphone application games have changed the employment of their financial transaction capabilities provides additional insight into user trends and data analytics. While some video game companies, particularly those with microtransaction features, handle a significant amount of financial transactions, they are not considered national banks or savings associations. As a result, they are not always subject to the Bank Secrecy Act (BSA) or Office of Foreign Assets Control regulations. However, the video game industry has been subject to financial fraud and used as a medium for money laundering through the sale of digital goods and in-game currency.1 While not legally mandated yet, an enhanced transparency framework could reduce this activity by ensuring that in-game currency is used for legitimate transactions and that digital goods are sold for actual use, not as a cover for illicit money transfers.2 By employing an enhanced transparency framework, the video game industry can ensure increased oversight and due diligence to mitigate financial fraud and money laundering.

The Evolution of Gaming

Over the past several decades, video game technology has evolved exponentially. Unfortunately, the financial transactions via this medium can be leveraged for criminal activity, similar to how in-game communication features have been repurposed for covert communication purposes.3 The new ways video games socially connect user groups, such as through live streaming, will further evolve the manner that video games are used for money laundering. Twitch is one video game livestreaming platform that offers digital currency.4 It would be possible to launder money through this medium.

Transaction methodologies are prevalent across different aspects of the video game industry, from the console games represented by all the major companies, such as Microsoft, Nintendo and Sony, to the massive catalog of games available from the Google Play store and Apple’s app store. These different methodologies have created an environment where financial fraud and money laundering could occur. For example, fake smart-device applications are created and listed at higher than average costs to generate transaction activity that is really a cover for money laundering, similar to how fake books have been sold on Amazon.5 In addition, illicitly taking over a user account is an easy method to obtain the financial credentials of Xbox or Sony users, or as a means to access Apple’s app store user information.6, 7

Historically, there have been several different ways that money can be laundered and the concept of money laundering is not new to the video game industry. Microtransactions and in-game currency have both been shown to be avenues for money laundering.8 In the game, Fortnite customers can do this through accounts that have been established with illicit funds where the funds can be laundered.9 In addition, money launderers use free games that allow users to purchase power ups. Those resources are then resold as a means of sanitizing the illicit initial funds.10 Given the sheer volume of financial transactions that occur, there is ample opportunity for money launderers to obfuscate their transactions alongside legitimate financial activity.

Elements of an Enhanced Transparency Framework

Given the natural evolution of the financial and social aspects of the video game industry, an enhanced transparency framework (Figure 1 above) should be implemented to deter the use of money laundering methodologies. An enhanced transparency framework for the video game industry should consist of five supporting capabilities, combining different sources of personally identifiable information (PII) with improvements in automated technology.

Given the natural evolution of the financial and social aspects of the video game industry, an enhanced transparency framework should be implemented to deter the use of money laundering methodologies

Element #1: PII from a Technical Device

Personally identifiable video game information (PIVGI) can also be aggregated11 from a myriad of different items including the following:

  • Time zone of user
  • Login time
  • Duration of user
  • Game played
  • Type of device used
  • Serial number of device(s)
  • MAC address

This information is used by video game companies to ensure that accounts are not compromised or to validate user identity for password resets.12 For example, if one forgets the account information for a user on an Xbox console, there is a lengthy process wherein Xbox will reset the account login information. However, Microsoft must first confirm that the account was used only on a particular console and that there was no suspicious account activity.13

Element #2: PII from Account Information

Oftentimes, additional information used for billing purposes can be correlated to the individual who is logging in to play the game. This information includes the following:

  • Email address(es)
  • Phone number(s)
  • Payment information
  • Personal address (home and/or work)

This information is also used to validate the account as well as establish a payment capability. Similar to know your customer (KYC) requirements,14 enhanced transparency for video games can employ an infrastructure of networked dashboards which work in orchestration to aggregate and cross-reference the above information to provide a profile of the video game user. However, proper security of such information will be critical, particularly with current privacy laws around General Data Protection Regulation (GDPR)15, 16 and similar laws in the U.S., such as the California Consumer Privacy Act (CCPA).17

Element #3: Documentation via Utility or Government-Issued ID

Currently, there is no legal requirement for a video game player to provide additional documentation when setting up an account; however, when a bank account is set up, an individual is required to provide documentation to validate their identity. In the same way, items such as utility statements or government-issued photo identification could be required. This additional documentation would serve as another aspect of enhanced transparency to help corroborate the identity of the player. While this may seem a bit excessive, the requirement could either be phased over a period of several years or be required only if the player wanted to engage in a significant volume of financial transactions. Alternatively, the video game industry could incentivize the player via gamification techniques. Gamification techniques have been successfully employed in the gambling industry to entice players to spend more money.18 Similarly, subconsciously encouraging a player to provide additional information, without directly requiring them to do so, could result in digital rewards for the player. This would allow additional information to be directly obtained with confirmed consent via a transaction, resulting in the player receiving a form of compensation.

Element #4: User Behavior

One can obtain and aggregate information that provides a profile about the video game user to help ascertain their identity. In addition, one can also aggregate information from the way in which the user engages in the video game. First-person shooter games like Call of Duty or Overwatch have increasingly provided more in-game data points to players.19 This information is often leveraged by the moderators of gaming servers when looking for cheating or digital exploitation.

Alternatively, this same information could be used in concert with the personal billing and geographic origin information to provide enhanced transparency of the individual player. This would be similar to how some automotive insurance companies have additional sensors that their customers place in their cars to provide additional feedback to the insurance company.20 By gaining these additional insights, the insurance company is able to gain enhanced statistics on the manner in which a person uses the car and could theoretically distinguish drivers with different styles, e.g., a parent driver or an adolescent one.

While this requirement may not be mandatory for all players, it could be levied against players who wish to engage in an excessive volume of financial transactions. With this information, a player could have an additional icon placed next to their account name to indicate that they have successfully undergone additional validation. This may incline other players to increase engagement and trust them in financial transactions.

Element #5: Scoring System

Online scoring systems are not new across most video games. However, games currently associate a player’s online score with their in-game accomplishments, usually referred to as “achievements.” This is a direct indicator of how many games the person has played and the progress that gamer has made. In the same way that the U.S. has a national credit scoring system, or the manner in which online resale sites have a community-assigned score, a score could be assigned to each user of a video game product with in-game financial transactions. This could measure the user’s trustworthiness. Assigning a user, a numerical value—akin to how ride sharing21 and social media accounts provide ratings22—would provide visual icons or badges next to an account holder’s public information that could be seen by other video game players. An enhanced transparency framework would take each aspect and assign a quantitative value to it. This way, the video game company could analyze a user and see what the player’s risk is for financial fraud or money laundering.

If an enhanced framework for transparency is employed by video game companies to regulate in-game financial transactions, then the profitability for malicious actors will reduce

Benefits of Enhanced Transparency

Ideally, by establishing and enforcing an enhanced transparency framework, there will be both financial and nonfinancial benefits. However, the components of this framework for companies in the video game industry will have resource costs and legal considerations. While implementation of these new requirements may initially be difficult to adapt, technical automation will assist in implementing these at scale. In addition, future money laundering investigations will benefit from the increased baseline of user information.

If an enhanced framework for transparency is employed by video game companies to regulate in-game financial transactions, then the profitability for malicious actors will reduce. In addition, the correlation of user actions, when coupled with previously documented account information and historical user game play statistics, would make it harder for the malicious actors to conduct fraud and money laundering schemes via video games in an undetected manner. This increased potential for positive identification would drive these nefarious individuals to other mediums and industries.

This increase in transparency, coupled with the reduction in fraud, may also entice players to trust the in-game financial transaction system as much as a formal banking system. This could potentially increase the number of players who are inclined to spend money on micro-transactions and other digital content purchases, thereby increasing the revenue and profit of the video game’s financial system. Just as bitcoin exchanges are moving to align proactively with existing banking industry standards,23 the video game industry can and should align with similar reporting standards to mitigate fraud.

With a potential reduction in fraud, financial metrics based on users’ purchasing habits would be more accurate as the standard deviation attributed to fraud could be lowered. Companies could more effectively gauge new digital content or changes to the in-game financial mechanism, which are often structured to encourage players to spend more money.

Negatives of Enhanced Transparency

While an enhanced transparency framework would have benefits, such a program would not be without its potential negatives, planning considerations and resource requirements. From a certain point of view, one could make the case that enhanced transparency will not stop dedicated money laundering schemes. Requiring government-issued identification, or a copy of a utility bill, may stop low-level organizations. However, highly sophisticated money laundering organizations likely have the ability to create fake documentation that would pass a cursory background check. Identification fraud continues to be successfully employed across a wide spectrum of industries and identity theft of minors is a growing industry.24

In addition, companies might not be properly incentivized to allocate additional resources to an enhanced transparency framework. Depending on how the in-game financial transaction system is organized, a video game company may actually be subject to BSA laws.25 Knowing this, a video game company may purposefully avoid reaching a threshold that would require an enhanced framework. This could potentially provide an environment for money laundering to occur.

If an enhanced transparency framework was to be implemented, organizations would also need to consider the implications of data privacy and data protection requirements to ensure that the additional documentation and aggregated users’ information are properly secured. Given the increased aggregation of PII and user behavior information that is collected, there will be other considerations for a company to examine. The 2018 passage of GDPR26 in the European Union (EU) means that associated information about a video game player would be subject to such regulations. These increased regulation requirements are not limited to the EU and are growing in maturity globally.27 This increase in obtaining legal consent and the identification of user data has been, and will continue to be, an operating expense that companies in the video game industry will need to consider. Negative sentiment from the main user base, video game players, may also increase due to the additional documentation requirements of the enhanced transparency framework.

Finally, any time a regulatory body requires new compliance procedures, there are associated costs. Not unlike banks that do the bare minimum to satisfy BSA regulations, some video game companies may implement an enhanced transparency program at a basic level of maturity. While this may satisfy the minimum legally required regulations, there may never be enough of a financial or legal incentive for video game companies to mature their programs further.

Conclusion and Areas for Future Research

While the potential impacts of an enhanced transparency model for the video game industry have been previously described, there are also areas for further research. The increased transparency model—if successfully employed by a video game organization—could be used as a standard in other industries looking to monetize or increase monetization of their existing user experiences via micro or standard financial transactions. Other industries that could be researched to evaluate the impact of an enhanced transparency model include: urgent healthcare, therapeutic care, transportation networks and online retail. Increased monetization across the omni-channel ecosystems in these industries will continue to make them more lucrative to money laundering organizations. By proactively adopting an enhanced transparency framework, future money laundering schemes could be mitigated. Companies could also demonstrate better due diligence by obtaining more accurate identification information from users who engage in financial transactions. Ideally, this would better satisfy potential KYC requirements and deter criminal organizations from using synthetic identifications. In addition, by associating in-game behavior with player identification, video game companies would be better positioned to deactivate accounts if they were taken over by money laundering organizations.

As video game technology evolves to create new opportunities for monetization, the need for proper oversight and regulation will still remain. By employing an enhanced transparency framework, video game companies can proactively avoid fines and benefit from improved data analytics around user behavior and transactions. An enhanced transparency framework—supported by automation, machine learning and critical human analysis—would reduce the number of false positives and deter future malicious actors from continuing to employ video games as a means to launder money. This framework would require both executive endorsement and cross-matrixed support from different business units that facilitate an organization’s existing security procedures. Ideally, the enhanced transparency framework will provide video game players a financially safer environment, which will encourage increased transactions, improve revenue profit and result in fewer opportunities for money laundering and fraud in the industry.

Christopher Witbracht, CAMS-Audit, global director, AB-InBev, Mountain View, CA, USA, christopher.witbracht@ab-inbev.com

  1. Jennifer Carole, “Laundering Via In-Game Currency and Goods is on the Rise | Part 2,” Bromium, March 20, 2018, https://www.bromium.com/laundering-via-gaming-currency-and-goods-part-2/
  2. Olivia Solon, “Cybercriminals launder money using in-game currencies,” Wired, October 21, 2013, https://www.wired.co.uk/article/money-laundering-online
  3. Mark Mazzetti and Justin Elliott, “Spies Infiltrate a Fantasy Realm of Online Games,” New York Times, December 9, 2013, https://www.nytimes.com/2013/12/10/world/spies-dragnet-reaches-a-playing-field-of-elves-and-trolls.html
  4. Alan Bernal, “Twitch plan launch of new site-wide currency to rival Mixer,” Dexerto, August 18, 2019, https://www.dexerto.com/entertainment/twitch-new-site-wide-currency-rival-mixer-923948
  5. John Biggs, “Crooks launder money using real (and fake) Amazon ebooks,” TechCrunch, February 26, 2018, https://techcrunch.com/2018/02/26/crooks-launder-money-using-real-and-fake-amazon-ebooks/
  6. Amy Szabo, “From the Mob to Mario: How Money Laundering Lives on Through Video Games,” Panopticon Laboratories, August 3, 2016, https://www.panopticonlabs.com/from-the-mob-to-mario-how-money-laundering-lives-on-through-video-games/
  7. Matthew Gault, “Scammers Are Using ‘Clash of Clans’ to Launder Money From Stolen Credit Cards,” Vice, July 20, 2018, https://motherboard.vice.com/en_us/article/xwkyb3/scammers-are-using-clash-of-clans-to-launder-money-from-stolen-credit-cards
  8. Steven Messner, “How microtransactions and in-game currencies can be used to launder money,” PC Gamer, April 13, 2018, https://www.pcgamer.com/how-microtransactions-and-in-game-currencies-can-be-used-to-launder-money/
  9. Christopher Gabbert, “Fortnite has become the hot favorite way to launder money,” AndroidPIT, January 21, 2019, https://www.androidpit.com/money-laundering-with-fortnite
  10. Lisa Vaas, “Automated money-laundering scheme found in free-to-play games,” Naked Security, July 19, 2018, https://nakedsecurity.sophos.com/2018/07/19/automated-money-laundering-scheme-found-in-free-to-play-games/
  11. Alex Boutilier, “Video game companies are collecting massive amounts of data about you,” The Star, December 29, 2015, https://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html
  12. Kyt Dotson, “EA Looks to Big Data to Level Up the Video Game Industry,” SiliconANGLE, February 28, 2013, https://siliconangle.com/2013/02/28?ea-looks-to-big-data-to-level-up-the-video-game-industry/
  13. “Recover and reset your lost Microsoft account password,” Microsoft, n.d., https://support.xbox.com/en-US/my-account/microsoft-account/lost-password-solution (Accessed January 23, 2019).
  14. Steve Hudak, “FinCEN Reminds Financial Institutions that the CDD Rule Becomes Effective Today,” Financial Crimes Enforcement Network, May 11, 2018, https://www.fincen.gov/news/news-releases/fincen-reminds-financial-institutions-cdd-rule-becomes-effective-today
  15. Danny Palmer, “What is GDPR? Everything you need to know about the new general data protection regulations,” ZDNet, May 17, 2018, https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
  16. EU data protection rules,” European Commission, 2018, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
  17. Mark G. McCreary, “The California Consumer Privacy Act: What You Need to Know,” New Jersey Law Journal, December 1, 2018, https://www.law.com/njlawjournal/2018/12/01/the-california-consumer-privacy-act-what-you-need-to-know/?slreturn=20190202224322
  18. Andrew Thompson, “Engineers of Addiction: Slot machines perfected addictive gaming. Now, tech wants their tricks,” The Verge, May 6, 2015, https://www.theverge.com/2015/5/6/8544303/casino-slot-machine-gambling-addiction-psychology-mobile-games
  19. David Murphy, “Battle on the Metric Front: Dispatches from Call of Duty’s Update War,” Game Studies, December 2014, http://gamestudies.org/1402/articles/murphy
  20. Mike Juang, “A new kind of auto insurance technology can lead to lower premiums, but it tracks your every move,” CNBC, October 6, 2018, https://www.cnbc.com/2018/10/05/new-kind-of-auto-insurance-can-be-cheaper-but-tracks-your-every-move.html
  21. Nicole Spector, “Is your Uber rating low? One of these bad behaviors may be to blame,” NBC News, May 23, 2018, https://www.nbcnews.com/better/pop-culture/what-uber-drivers-hate-most-how-be-better-passenger-ncna876806
  22. Kevan Lee, “How to Get Verified on Twitter (If I can do it, you can too!),” Buffer, November 29, 2018, https://buffer.com/library/how-to-get-verified-on-twitter
  23. Angela Habibi, “The Bank Secrecy Act and Cryptocurrency,” Medium, January 6, 2018, https://medium.com/datadriveninvestor/the-bank-secrecy-act-and-cryptocurrency-7565c84d8bcf
  24. Kelli B. Grant, “Identity theft isn’t just an adult problem. Kids are victims, too.” CNBC, April 24, 2018, https://www.cnbc.com/2018/04/24/child-identity-theft-is-a-growing-and-expensive-problem.html
  25. Evan Minsberg, “Using virtual currency in your game requires compliancy too,” App Developer Magazine, February 1, 2017, https://appdevelopermagazine.com/4884/2017/2/1/Using-virtual-currency-in-your-game-requires-compliancy-too/
  26. “Reform of EU data protection rules,” European Commission, 2018, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
  27. Mark G. McCreary, “The California Consumer Privacy Act: What You Need to Know,” New Jersey Law Journal, December 1, 2018, https://www.law.com/njlawjournal/2018/12/01/the-california-consumer-privacy-act-what-you-need-to-know/?slreturn=20190202224322