Protecting underage players

1) Protection objectives and principles

The goal is to exclude persons under the legal age from gambling and advertising, and prevent circumvention of restrictions.
Principles: "preventiveness," "data minimization," "honest UX without dark patterns," "provability of compliance" (logs/audits).

2) Legal fundamentals (high-level)

Age thresholds: jurisdiction specific (often 18 +, less often 21 + or otherwise).
Operator's duties: checking the age before admission to deposits/play, advertising block for children, maintaining registers and check logs.
Liability: fines, license revocation, mandatory reports and corrective actions.

3) Multilevel AGE/KYC verification

3. 1 Check stages

1. Pre-KYC AGE gate (before registration): date of birth + information banners about the ban for minors; promotion unit.
2. Onboarding AGE-check: quick check by trusted sources (database of credit bureaus/identifiers, state registers, telecom checks - where legal).
3. Documentary KYC: passport/ID card/driver license + selfie comparison (where legal); automatic anti-tamper/wellness.
4. Additional "signals" for escalation: mismatch of age in the sources, payment in the name of a third party, children's/educational mail domains - only as triggers of manual verification (without discrimination).

3. 2 Tolerance rules

No AGE verification - no deposit/game.
Verification Failed/Disputed - Temporary Hold, Recheck Request, Policy Refund.
Re-verification by triggers (change of full name/address, suspicious activity).

3. 3 Privacy

Collect a minimum: confirmation of the fact of age and identifier; if possible, store hashes/tokens.
Separate data zones: photos/scans separately, access by JIT and strict RBAC/ABAC.

4) UX patterns and "baby" barriers

Visible age disclaimer (18 +/21 +) on landings and at enrolment.
Honest onboarding: no gamification to an AGE check, no promo waves.
Zero marketing before age confirmation; "hard" CTAs are disabled.
Simple language and large controls; availability (a11y).
Parent section: tips for parental control of devices/browsers, links to OS tools.

5) Marketing, Affiliates and Advertising

5. 1 Prohibitions and filters

Banning Audience Targeting <18/21; exceptions by interest categories and venues with a children's audience.
Suppression feeds: lists of banned contacts (unverified/suspicious) to all channels (email/SMS/push/ads).
Creatives: without children's images/characters/school symbols, without theses "pocket money," "school holidays," etc.

5. 2 Affiliates

Contractual requirements: prohibition of content/traffic with a children's audience, the right to audit, fines/termination for violations.
Technically: pre-landing checks, AGE status postbacks, automatic rejection of juvenile lead fees.

6) Technical architecture

AGE Service: verification sources → statuses (verified/pending/failed), logs and reasons for failures.
KYC/Docs Service: document loading/processing, lifeness, anti-tamper, vendor SDKs (with DPIA and contracts).
Access Gateways: "no age, no play/deposit" predicates.
CRM/Ads Hub: suppression before verification.
Fraud/Risk: bypass rules (multi-accounts, third-party payment, proxy/VPN - subject to the law).
Audit/WORM: unchanging logs of checks, decisions and communications.

Fail-safe: if AGE/KYC is not available - only "read-only" profile and policy conclusions (if allowed), rates/deposits are blocked.

7) Risk signals and investigation triggers

Repeated failed age/document checks.
Name mismatch in the payment instrument and account.
Frequent nightly attempts to enter from school/university IP bands (if legally and ethically processed).
Mass registrations from domains associated with educational institutions (only as a soft indicator).
Appeals to support with signs of a minor (vocabulary, requests to bypass AGE, etc.).

8) Incidents and reaction

1. A minor's account was found after admission.

2. The ad is shown to a child audience.

3. The partner led the traffic of minors.

• Immediate blocking of account/campaign; freezing promo/bonuses.
• Return of deposit within policy and law (no "winnings").
• Notification of compliance/licensor, if necessary; documentation of causes, time line, prevention measures.
• Debriefing with vendor/affiliate, sanctions/termination.
• Post-sea: amendments to the rules for filtering, updating texts and triggers.

9) Communications (templates)

• "Sorry, we can't open an account. Our services are only available from [minimum age]. For your safety, we've closed access to games and ads"

• "We have suspended the account due to an unconfirmed age/inconsistency. Deposits will be returned according to the rules. If an error occurs, follow the instructions to recheck"

• "We pay special attention to the protection of minors. Please review the Device/Browser Parental Controls guide and contact us for questions"

10) Juvenile protection policy (skeleton for wiki)

1. Purpose and scope (all brands/channels/partners).
2. Age threshold and list of acceptable sources/documents.
3. AGE/KYC procedures, escalations and re-checks.
4. Marketing and affiliates: bans, suppression, audits, sanctions.
5. Incidents: Scenarios, Notice Periods, Reimbursements/Returns.
6. Privacy: minimization, retention, DPIA.
7. Audit and reporting: frequency, format, board/regulator metrics.

11) Metrics and SLO

AGE Verification Rate: the proportion of users who passed the verification before the deposit (target → 100%).
Time-to-Verify: median verification time (target - seconds/minutes).
False Allow/False Block - percentage of tolerance/deviation errors (<target thresholds).
Minor Incident Rate: number of confirmed cases of minors per 10k registrations (→ 0).
Marketing Suppression Accuracy: no coverage for minors (~ 100%).
Affiliate Compliance Score: percentage of partners without violations for the period.
Audit Completeness: completeness of audit and decision logs (→ 100%).

12) RACI (roles and responsibilities)

13) Checklists (operating)

Before market launch

• Minimum age and verification sources are fixed.
• Configured AGE guards in Auth/Deposits/Game.
• Pre-verify suppression marketing enabled.
• Communication templates are localized and approved.
• Incident Playbook and Logs (WORM) prepared.

Daily/Weekly

• Monitor Time-to-Verify and False Allow/Block.
• Viewing fault logs and manual reviews of controversial cases.
• Affiliate reconciliation: traffic sources, creatives, geo.

In case of incident

• Account/campaign block, capturing artifacts.
• Policy notifications and returns.
• Post-sea and corrective measures.

14) Implementation Roadmap (6 steps)

1. Policy and legal analysis: age, docks, sources, marketing-prohibitions, DPIA.
2. Architecture: AGE/KYC services, guards in gateways, suppression hub, WORM logs.
3. UX/content: disclaimers, honest onboarding, parent section, rejection texts.
4. Partners: update contracts, launch audit of affiliates/vendors.
5. Observability: metrics/SLO, alerts, board/licensor reports.
6. Improvements: False Allow/Block reduction, verification acceleration, team training.

15) Frequent mistakes and how to avoid them

Do → always block access to deposits before the AGE check is confirmed.
Aggressive marketing prior to verification → enable suppression by default.
Storage of excess PD → minimization, pseudonymization, short retention periods.
Lack of affiliate control → contractual sanctions, regular audits.
No logs → use WORM storage and standard reason codes.
Dark patterns in onboarding → the risks of fines and reputational losses.

Total

Juvenile protection is an end-to-end circuit: rigid technical guards, multi-level AGE/KYC verification, responsible communication and marketing, affiliate discipline, clear incident playbooks, and provability through journals and metrics. This approach protects children, reduces legal risks and builds trust in your brand.