.svg)
Pennsylvania regulators have released a list of enhanced know-your-customer (KYC) requirements in an effort to strengthen account security and reduce fraudulent activity, as they continue to involuntarily exclude online gaming customers for unscrupulous activities.
In November, the Pennsylvania Gaming Control Board (PGCB) issued a request for industry comment on new guidelines for updating the state's KYC guidelines as it relates to the creation of iGaming accounts.
That was followed by a memo earlier this year that will require online sports betting and iGaming licensees to implement new KYC requirements by September 30, to include an identification upload and liveness check such as a selfie photo.
Further requirements to protect against fraud must be implemented by February 28, 2026.
According to the PGCB, the updated KYC requirements were not the result of individuals being placed on the regulator's iGaming Involuntary Exclusion List for fraudulent activities.
“Instead, I would say that the new guidance is simply a reflection of a look at best industry practices that have emerged,” PGCB spokesman Douglas Harbach told Vixio GamblingCompliance in an email.
Harbach said he was not aware of any opposition to the new guidance, which will impose notably stricter KYC rules than in other U.S. states with legal iGaming or mobile sports betting.
“In fact, we spent the second half of 2024 meeting with payment providers, banking institutions, and technology providers to gain their insights into crafting these practices,” he said.
Under the state's gaming law, each of the state's land-based casinos are eligible to offer online casino games via an unlimited number of platforms or skins, plus online sports betting through a single skin.
"An online sports wagering operator would need to adhere to the updated KYC and MFA guidance since it is a type of interactive gaming," Harbach told Vixio.
The enhanced KYC and fraud prevention requirements that are scheduled to be implemented by the end of September include an identification and liveness check as well as ensuring the accuracy of a customer’s data.
If the automatic KYC process fails, operators will be required to conduct manual KYC that includes multisource authentication for any re-entered or modified customer data.
If that verification fails, patrons need to provide a government-issued photo identification, social security card and proof of residence, with all information being manually logged by the operator, and the incident being reported to the PGCB.
“The purpose of the enhanced KYC requirement is to ensure critical patron identity information is verified as true and accurate,” Kevin O’Toole, PGCB’s executive director, wrote in a letter dated January 22 notifying licensees of the new guidelines.
O’Toole reminded operators that they must implement the enhanced KYC requirements on an ongoing basis but will not be required to reverify existing accounts.
The enhanced requirements also limit each device to accessing no more than four iGaming accounts within a 14-day period. Additional accounts can be allowed if operators contact patrons and obtain justification, which must be maintained and available for PGCB inspection.
Operators are also required to file a fraud form with the PGCB and Pennsylvania State Police anytime an attempt is made to create an account for a deceased individual.
The PGCB will further require all licensees to enforce the agency’s enhanced KYC, MFA, and payments requirements if a patron created an account in another state with legal iGaming, before any wagering can take place in Pennsylvania.
Pennsylvania Targets Fraudulent iGaming
The PGCB’s actions to strengthen its KYC procedures come after regulators have placed more than a dozen individuals on its involuntary interactive exclusion list for committing fraud using iGaming sites.
Regulators began to crack down on fraud in June 2024 with the placement of 11 individuals on the list for using a scheme to obtain an iGaming account in another person’s name and identifiers, and fraudulently placing funds into their iGaming account and then withdrawing them into their own bank account without wagering.
Among the specific incidents of fraud committed by the unidentified individuals was illegally requesting and receiving chargebacks to a credit card totaling $5,150 and creating five separate online accounts using other people's personal identification and withdrawing $6,195 into their own personal bank account.
Last July, the control board placed another seven individuals on the iGaming Involuntary Exclusion List. The decision came after investigations conducted by the PGCB’s Bureau of Investigations and Enforcement (BIE) found fraudulent activities involving a total of $27,168.
Those fraudulent activities involved creating online gaming accounts using stolen personal identification and receiving six chargebacks totaling $10,000 on a credit card linked to an online casino-type game account.
The PGCB in May added another nine individuals to the list for fraudulent actions involving online gaming, which was followed a month later with six individuals added to the list.
Currently, there are 95 individuals on the state's iGaming Involuntary Exclusion List.
Enhanced Fraud Prevention In 2026
Under the guidance released earlier this year, licensees are expected to have additional KYC, as well as multi-factor authentication and fraud prevention requirements, in place by February 28, 2026.
The PGCB’s enhanced mandate requires operators to conduct MFA checks every 14 days for each device used to access to an interactive gaming account using customer identification or access-management software, authentication apps, biometric verification, face or fingerprint, or other PGCB-approved methods. The use of a one-time security code sent via text message to a user’s mobile phone will be acceptable until January 1, 2027, after which a new method must be implemented, according to the control board.
The control board also issued new payment method requirements for all new accounts that are less than six months old or have been inactive for six months, including limiting them to three credit or debit cards, three ACH banking accounts, and one account per third-party payment service, such as Venmo or PayPal.
“Additional payment methods can be added after a 72-hour waiting period, provided an existing payment method is deleted,” the PGCB said. “New payment methods must pass address verification service (AVS) before deposits.”
Operators are also required to perform “soft geolocation checks” during account creations, deposits using a new payment method, and withdrawals of greater than $10,000.
The PGCB’s new requirements also call for operators to re-upload a valid government-issued ID within 90 days of the expiration of the ID on file. The ID must be verified to ensure it is current and accurate, according to the gaming regulator.
