All we online gambling players, ploppies, punters, squares, sharps and sharks share the common need of moving our money around as quickly and painlessly as possible. With credit cards not always passing muster, online payment solutions Moneybookers and Neteller are a valuable resource. Also Paypal, which still services a limited gambling market, and Click2Pay, offering a kind of second-tier credit card system, have their place where credit cards fail.
Another useful aspect of the likes of Moneybookers and Neteller is their incorporation in the UK, putting then under the control of the FSA and answerable to all aspects of UK law, including the 1998 Data Protection Act. They have access to a considerable amount of sensitive customer data – credit cards, bank accounts and all manner of identity verification documentation – so the tight legal framework they are bound by is important for customer peace of mind.
But how secure is the data?
Just over a year ago I started having doubts, when a Moneybookers customer reported that his account had been closed on the basis of information received from a casino client, but without ever being notified by Moneybookers as to exactly what the information was – I reported on this my Moneybookers: potential breach of UK law article.
If you look at the “rights of data subjects” section of the Data Protection Act, this bit jumps out:
7 Right of access to personal data
(1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled -
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller a description of -
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
(c) to have communicated to him in an intelligible form -
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data
It seemed to me that these clauses had been breached, as the data had not been disclosed to the “data subject” – customer – in question.
More recently, another possible breach came to my attention: the customer of one Cherry Red Casino had winnings confiscated on the basis of information apparently received from Moneybookers. I requested and reviewed his email correspondence with the casino in question, and posted extracts in my Cherry Red Casino and Moneybookers article. Most worrying was this revelation:
We have worked closely with third parties to ascertain which players are genuine and which are fraudulent and yours has come back as being connected to other players in Europe and as having transferred funds between Moneybookers accounts.
We are certain that the information we had received from Moneybookers and third parties constitute to the answers we have given players.
So, confidential information of some kind or another was evidently disclosed, by the payment solution to the gambling operation, with no notification to the player.
Another player reported publically, on another similar case, in the Gambling Industry Association Rushmore Casino discussion. Here, an affiliate representative gave a little more detail about the nature of the information:
Moneybookers…only confirmed with us which Moneybookers email addresses were linked and had transferred funds between themselves, it was a yes or no answer and included no further private or confidential banking information or otherwise. Moneybookers…confirmed that these accounts were in fact connected and…transferred funds between their accounts also.
There are a few problems here.
In the first place, confidential information is supposed to be genuinely confidential, and informing a third party of aspects of a customer’s account and the people to whom they make transfers is not an aspect of “confidentiality” that I am aware of. The customer in question was at no point notified by Moneybookers of the disclosure, in whatever format, of his account details to third parties.
I am not a lawyer, but this does not look right to me, insofar as it appears to contravene the section of the DPA that I quoted above.
In the second place, and marginally off the question of confidentiality but highly relevant to customers of these payment solution providers and the industry as a whole, is that this information may be leading to bogus conclusions – the fact that Customer A transfers funds to customers B and C does not necessarily make Customer A guilty of an illegal act. Whether or not the customer is guilty, the correlation between the guilt and the account activity in question is by no means absolute.
Here is a possible scenario:
Casino: “We believe these two players are connected (and therefore guilty of activities we do not allow); can you confirm this?”
Moneybookers: “Yes; the two accounts in question have transferred and received funds”.
On this basis, to summarise my above points:
1) This disclosure to a third party of a customer’s account activity may be leading to entirely erroneous conclusions.
2) More importantly: at no point was the customer – or rather, customers – informed of these behind-the-scenes information exchanges. This appears to me, in line with simple reasonable behaviour, unacceptable, as one ends up being convicted with no right of defence. But more importantly, the nature of the disclosure in question does not appear to me to adhere to the laws I quoted above.
I have, myself, carried out a few “person to person” transfers with Neteller, the payment solution I use. I would hope that Neteller never disclose this aspect of my account, or any other, to third parties.
Whether or not Moneybookers discloses aspects of my account to third parties is irrelevant to me. I no longer use their services.
I will be forwarding this article to Moneybookers for their comments.
Truly interesting. Keep us updated.
“In the first place, confidential information is supposed to be genuinely confidential.”
Yes, but subject to local laws in which the customer operates; UK, European and US money laundering laws etc…
Just sent Moneybookers an email with link to this article, asking for details on the circumstances of disclosing confidential informaion, and why the customer is not informed.
Keep us updated.
Don’t hold your breath, I’m pretty sure they won’t reply.
No reply. Absolutely no surprise, either – even when I used my VIP email address.
So Moneybookers cannot tell us any circumstances in which that they will disclose confidential data.
Not that they’ve got anything to hide, of course.
Thanks for the info.
I’ve had the following correspondence:
————————-
Me:
“Hello,
I understand that Moneybookers will disclose confidential customer information to its casino clients at their request. In one instance, I’ve seen the emails in which the casino, Cherry Red, states this to a customer (etc etc)…
As such, Moneybookers certainly disclosed some form of confidential customer information to a casino.
Can you please tell the nature of confidential information that Moneybookers will disclose about its customers to its casino clients, and why? Also, why does Moneybookers not inform the relevant customer when his account data is discussed with third parties?”
Moneybookers:
“Please note that as per our Terms & Conditions we provide information about our customers to third parties ONLY in proven cases of fraudulent activity and only to prevent further abuse of ours or merchant’s systems and rules.
In case the merchant contacts our Anti-Fraud Department with an inquiry about the account condition of mutual customers we can only confirm the details already provided and whether the account is in good standing with us or not.
I would like to assure you that your personal details as well as all details for other customers of our company are kept confidential and are not disclosed to third parties according to the regulations of the FSA.
I hope the provided information has been useful, in case there is anything else I can assist you with, please don’t hesitate to let me know. It would be my pleasure to help out.”
Me:
“Thank you for replying.
I’d like to give a specific example: If a merchant comes to you and says, “we believe there is a connection between accounts X, Y and Z. Can you please tell us if accounts X, Y and Z have had money transferred between them?”, would Moneybookers, in the instance, say “Yes, that is correct”, “No, that is not the case” or “This is not information that Moneybookers is at liberty to disclose”?”
Moneybookers:
“In case they just want to confirm a connection between different Moneybookers accounts, we will not disclose any information. The only case we may confirm if there has been activity between different accounts if the merchant comes to us with a specific case, where they have confirmed fraudulent or abusive customer behavior and this case has been evaluated by our Anti-Fraud team, who have established that there has been suspicious transaction activity. In such a scenario, they will contact the merchant directly to confirm the details which we have received. I hope this clarifies the matter further, if there is anything else I can do for you, please don’t hesitate to let me know.”
——————————–
So, if the casino says “there is fraudulent activity”, Moneybookers will disclose the required details, as long as MB has also confirmed “suspicious activity” themselves.
What MB considers “suspicious activity” is anyone’s guess. P2P transfers are not illegal.
I’ll try to get an answer on this.
Interesting. Thanks.