The $100,000 Wake Up Call: How Static iGaming KYC Is Becoming a Laundromat for Gen AI

The Pennsylvania Gaming Control Board just handed BetMGM a wake-up call for every iGaming compliance officer in North America, disguised as a $100,000 fine. While it’s true that the total dollar amount looks like a rounding error for any serious tier 1 gaming operator, the actual facts of the case show why BetMGM not only likely lost millions more but that the entirety of the iGaming Know Your Customer defense is at stake.

Pennsylvania and all other gaming states, whether land-based or online, must follow Federal laws arising out of the 1985 Bank Secrecy Act. This includes a Know Your Customer (KYC) Mandate that has only become stricter over time, especially after the 9/11 terror attacks. 

Currently, any cash in or cash out in a single gaming day requires that a Currency Transaction Report is generated. But more importantly for our story, it requires a Suspicious Activity Report or SAR be filled out for transactions over $5,000 that casinos know, suspect, or have reason to suspect either involves illicit activity or has no lawful purpose. 

However,  Pennsylvania goes even further than these federal laws. While the Feds framed these regulations about money laundering and terrorism, Pennsylvania's legal code makes it clear that they view them through the lens of gaming integrity and the public interest. All online casino patrons must have ID at registration and that ID must be vetted through various internal controls. 

These internal controls (IC) are also taken very seriously; online operators in PA have more than 1,300 ICs on the books in total, covering iGaming operations. Many of these deal with not only what identification will be accepted, and not when the customer actually makes a deposit, but when that customer first registers. 

1,500 Ghost Accounts Means Trouble for the Future

The BetMGM case, however, reveals that many of those ICs are no longer enough in a world with generative AI, and why so-called static checks of identification are quickly becoming a thing of the past. Pennsylvania regulators identified four separate fraud rings that operated for nearly three years across the BetMGM and Borgata platforms. 

One ring alone created 1,567 accounts using stolen Personal Identifying Information (PII). Another smaller group of only 119 accounts still managed to place wagers totaling almost a million dollars over two years. What these groups had in common was the ability to beat BetMGM’s verification checks to open accounts in other people’s names and then in many cases also use stolen “payment devices”.

In this case, “payment device” just means a credit card number or perhaps login credentials to a PayPal or Venmo account. But imagine if you had a stolen credit card and managed to use SSN, birthdate, and address information either stolen or purchased on the dark web to open a sports betting account. 

Then, using bots, you look for nearly risk-free arbitrage bets where you can hedge bets between these stolen accounts and clean accounts. Once you’ve managed to get that money into the clean accounts, it's ready to be withdrawn, and because it's hidden behind hundreds of thousands of bets on that same sporting event, it becomes nearly untraceable. 

Not only that, but many of these stolen accounts are eligible for risk-free credits given by these books to encourage sign-up. That money is also slowly bled off to clean accounts. Even if the account holder notices and files a chargeback, there is no one left holding the bag but the operator, who has no idea which account on the other side was the one involved.  They lose twice, once to the chargeback and once again paying out the “winner”.

That is a bad enough result for the casino, but 1,500 fraudulent accounts operating for years, racking up comps, freeplay, and sign-up bonuses? Ouch. But according to the PGCB, at least BetMGM should have known that all of these accounts were linked by both shared IP addresses and even shared devices. 

Which would seem to be a KYC failure of epic proportions, except in 2026 device spoofing software has made device fingerprinting a sort of arms race where it takes the latest and greatest tech to either hide a device or discover its true location and identity. 

Most of these accounts stayed well under the SAR $5,000 trigger and passed the PA IC checks required under law to open and fund an account. 

But we also know that BetMGM likely didn’t follow up with more background checks over the intervening months, as at least some of these customers were deceased. They likely waited for any given ID to expire before conducting another check. 

This concept of static KYC is becoming increasingly untenable as generative AI becomes capable of not only producing high-quality identification documents but even spoofing facial scans. Checking an ID every four years is no longer a viable option when so much damage can be done in that time frame. Fortunately, that same tech which has allowed fraudsters so many opportunities to create fake accounts can also be used to pull them out by the roots. New persistent KYC software uses agentic AI to always be looking at 100s if not thousands of pieces of data to ensure that your new casino customer is, in fact, who they say they are. 

Obviously, death certificates, change of address, and credit reports are being confirmed, but in this bold new frontier, it may also look at things like dwell time; which is how long you hold down each key on your keyboard, or cursor drift, which is just the messy way actual humans move the cursor across the screen. Even something as mundane as battery logic may show if you are pretending to be on a cell phone when in fact you are operating from a desktop. 

End of the SnapShot Era

Ultimately, the BetMGM fines shouldn't be viewed only as a penalty for past mistakes but as a mandate for rolling out future technology that will help parse whether a casino should “know, suspect or have reason to suspect” that any of its customers are up to something illegal. Gen AI can literally create an entire customer and a clean ID in milliseconds, which means the industry has to move forward from a static snapshot of a customer that just sits there for years. 

In this new high-stakes world of iGaming, your typing rhythm and mouse jitter will soon be as important to proving who you are as your SSN or birthdate. The takeaway for any high-end iGaming operative anywhere in the country is that if you're not already leaning into agentic AI to secure your perimeter and lock down your customer base, it won’t be just the six-figure fine that hurts, but the millions at stake to fraudsters, money launderers, and bonus abusers.