FanDuel Comments on Virginia Consumer Protection Regulations (11 VAC 5-80-100 to 11 VAC 5-80-110)
11 VAC 5-80-100 Security of funds and data
Subsection (B) of this section prohibits permit holders from sharing “information that could be used to personally identify a sports bettor with any third party other than the Department, law enforcement with a warrant or subpoena or a credit reporting agency.” This prohibition poses a number of potential issues for permit holders.
First, as acknowledged by the provisions of these regulations related to the licensing of suppliers and registration of vendors, there are a number of third parties who are critical to the operations of sports betting platforms and who need access to customer information in order to perform their functions. For example, when a player signs up to create a sports betting account with a permit holder, the permit holder will engage in an age and identity verification process. Typically this process relies on third party identity verification providers such as IDology and/or Aristotle to confirm the identity of the customer against existing databases as envisioned by 11 VAC 5-70-290(B)(8). When a customer makes a deposit to their account using one of the approved methods in 11 VAC 5-70-290(G), processing such a request will require sharing personally identifiable information with a payment processor. Additionally, there are other third-party suppliers for whom access to personally identifiable information is or may be necessary for the proper fulfilling of their duties including geolocation service providers, integrity monitoring providers, marketing vendors, etc.
Second, this section goes on to provide that “Information that could be used to personally identify a sports bettor includes gaming habits.” This presents issues with the “real-time” sharing of information with sports governing required by 58.1-4031(D). Although the information is required to be shared “pseudonymously” with sports governing bodies, it is possible to identify certain bettors based on the timing and size of the wager(s) made. For example, in the fall of 2019 a Houston businessman publicly made a number of large bets in multiple states in relation to the World Series. When a sports governing body (or its designee) reviewed the data from the casinos where the bets were made, they would be able to identify the wagers placed by this individual.
Subsection (D) of this section provides a list of the permissible forms that a permit holder’s reserve for payment of prizes and winnings must take, however the list does not include payment processor reserves and receivables. This option is authorized in a number of states, including: Colorado; Iowa; Indiana; and Pennsylvania. Allowing permit holders to use payment processor reserves and receivables to satisfy the reserve requirement allows for greater flexibility for permit holders to invest in driving customers from the illegal offshore market to the legal regulated market, while still ensuring the customer protection that the reserve requirement provides.
Subdivision (5) of Subsection (E) of this section provides the timeframe in which a permit holder must honor a request by a sports bettor to withdraw their funds. There are two clarifications to this section that would assist permit holders in ensuring compliance with this regulation. First, it appears that the number of days allowed for a permit holder to process a withdrawal after receiving such request was inadvertently left out. Presumably, the time period is the same 10 day period allowed for processing a withdrawal after the submission of necessary tax reporting paperwork referenced later in the regulation. Second, the authorization for permit holders to prevent the processing of a withdrawal request in the event of a pending investigation for fraudulent conduct, should be clarified to ensure that this includes situations where the permit holder believes in good faith that the sports bettor is on the self-exclusion list or is a prohibited sports bettor.
Subdivision (6) of Subsection (E) of this section requires permit holders to allow sports bettors to permanently close their account at any time for any reason. This subdivision goes on to provide that a permit holder’s procedures “shall allow for cancellation by any means…”, but it is not clear what the regulation means by “cancellation.” This subdivision should be clarified to ensure that bettors may close their accounts, but that they do not have the right to unilaterally cancel wagers that they have already placed with a permit holder.
To address the concerns raised above, we suggest the following changes to 11 VAC 5-80-100:
“B. A permit holder shall [
not] only share information that could be used to personally identify a sports bettor with any third party other than the Department, law enforcement with a warrant or subpoena or a credit-reporting agency in accordance with its approved internal controls on data privacy and protection. Information that could be used to personally identify a sports bettor includes gaming habits.
D. A permit holder shall maintain a reserve in the form of cash, cash equivalents, an irrevocable letter of credit, a bond, payment processor reserves and receivables, or a combination thereof in an amount approved by the Department and sufficient to pay all prizes and awards offered to a winning sports bettor.
E. A permit holder shall implement and prominently publish the following on its platform:
5. Procedures that allow a sports bettor to request withdrawal of funds from his user account, whether such account is open or closed, including:
The permit holder shall honor any sports bettor's request to withdraw funds by the later of 10 days after receipt of the request or 10 days after submission of any tax reporting paperwork required by law, unless the permit holder believes in good faith that the sports bettor has engaged in [
either] fraudulent conduct or other conduct that would put the permit holder in violation of this chapter, or is on the self-exclusion list or otherwise is a prohibited sports bettor, in which case the permit holder may decline to honor the request for withdrawal for a reasonable investigatory period until its investigation is resolved if it provides notice of the nature of the investigation to the sports bettor. For the purposes of this subdivision, a request for withdrawal shall be considered honored if it is processed by the permit holder but delayed by a payment processor, a credit card issuer, or the custodian of a segregated account; and
6. Procedures that allow a sports bettor to permanently close a user account at any time and for any reason. The procedures shall allow for [
cancellation] account closure by any means, including by a sports bettor on any platform used by that sports bettor to make deposits into a segregated account.”
11 VAC 5-80-110 Limitations on user accounts
Subsection (B) of this section requires permit holders to utilize reasonable measures to verify a sports bettor’s identity and address. While requiring a customer provide their address as one of multiple data points used for identity verification, the identity verification process does not specifically verify the exact accuracy of the address in addition to verifying the identity of the user. Indeed, simple, non-substantive errors like slight misspelling of street names or a typo on the quadrant of a street (“NW “ instead of “NE”) or using “avenue” instead of “road” are common, and can prevent “verification” of the address specifically even where the total information available about the consumer is more than sufficient to verify their identity. Accordingly, the requirements of this Subsection should be limited to requiring identity verification.
To address the concern raised above, we suggest the following change to 11 VAC 5-80-110(B):
“B. A permit holder shall take commercially and technologically reasonable measures to verify a sports bettor's identity [
and address] and shall use such information to enforce the provisions of this section.”