GH GambleHub

Age verification and age filters

1) Purpose and area

Exclude minors from access to products, communications and promotions, ensure compliance with the requirements of licenses and laws of advertising/consumer protection. Coverage: registration/login, wallet/payments, CRM/marketing, affiliates, game partners, support (CS), Risk/KYC, Legal/DPO, reporting.

2) Principles

Zero Access for minors. No game, deposits, bonuses and marketing.
Verify-before-Use. Full access only after successful age/identity verification.
Smallest data. We collect only the necessary, we use reliable sources.
Neutral communications. Without stigma, without revealing anti-fraud algorithms.
Provability. Artifacts and logs are suitable for audits and inspections.

3) Roles and RACI

KYC Lead/Head of Compliance - policy, vendors, exceptions. (A)

Risk/KYC Analysts - verification, escalation, solutions and retention. (R)

CS/Trust & Safety - communication with players, appeal processing. (R)

Marketing/CRM/Affiliates - Age filters and campaign exceptions. (R)

Product/UX/Engineering - registration flows blocking circuits, APIs to vendors. (R)

Legal/DPO - local regulations, privacy/PII, DPIA. (C)

Internal Audit - independent audits and CAPAs. (C)

Exec Sponsor (COO/CEO) - resources, "tone from the top." (I/A)

4) Age verification methods (stepwise)

Level 1 - Basic (Auto):
  • Match name + DR + address according to state/credit/telco registers (where allowed).
  • Bank verification (open-banking/KYC-bank card → age ≥ threshold).
  • Mob. operator (KYC-SIM, date of birth in profile).
Level 2 - Documents (selection/escalation):
  • Passport/ID/of water. identity/banned + OCR/face match, liveness check.
  • MRZ/barcode verification, lost/stolen document database.
  • Comparison of selfies with a photo of the document.
Level 3 - Att. confirmation (edge cases):
  • Notarial/state confirmations, certificates from state registers (if allowed).
  • Alternatives for idle clients (bank letters, resident ID card, etc.) - only with additional risks and permissions.

Solution: "full/limited/refusal" access + reason and review period.

5) Age thresholds and regional profiles

Game access: 18 +, or 21 + (individual markets/verticals).
Marketing: segmentation with guaranteed 18 +/21 + targeting.
Affiliates: job responsibility for filters and evidence.
Market profiles are maintained in the Age Profiles catalog: thresholds, permissible sources, SLAs and reporting formats.

6) UX threads and copyright

Registration (before verification):
  • "We are required to confirm your age for secure access. It will take a couple of minutes"
  • Explanation of what data is required and why; link to privacy policy.
After the auto match (success):
  • "Age confirmed. Full control is enabled"
Document Request:
  • "The system was unable to automatically confirm the age. Download the document (ID/Passport/Rights). Unnecessary fields can be hidden/smeared according to the instructions"
Failure/below threshold:
  • 'We can't provide access: the age is below the legal threshold. Account will be closed, data will be deleted by policy"
Appeal (soft):
  • "If you think there has been an error, please appeal with the documents here. We will respond within X days"

7) Age filters in marketing/affiliates

CRM: global suppression flags 18-/21-, "unknown age" = exclude from all promos.
Paid advertising: mandatory age targets/interests 18 +/21 +; site audit; a look-alike ban on "youth" segments.

Creatives: no teen style/language/imagery; disclaimers "18 +/21 +."

Affiliates: contractual obligations: age filters, banning youth venues, passing marketing hits for selective reviews; audit right and clawback.

8) Data, privacy and retention

Data model (minimum): 'user _ id, dob, age_check_level, sources [], decision {passfailinsufficient}, reason, reviewer_id, artifacts[], retention_until`.
Minimization: store the result of verification and checksums of documents; originals - according to necessity and terms.
Access: RBAC/ABAC, WORM logs, separate storage of PII/artifacts.
Retention: by law/license (often 5-7 years) or shorter if access is not granted.
DPIA and rights of subjects: transparency, DSAR through DPO, deletion by deadline.

9) Border and special cases

17 years 11 months: automatic failure and soft communication; block re-registration until date 18/21 +.
Age "uncertain": denied access, re-request sources/docks.
Different dates on docks/registers: escalation to manual review.
Suspicion of substitution/someone else's document: refusal + internal fraud flag, if necessary, notification of the regulator.
"Family" card/phone: not accepted as proof of age.

10) Control procedures

Pre-use gate: block of games/deposits before age verification.
Dual-control: manual approvals on controversial cases (two analysts).
Document Forensics: liveness tests, anti-screen, EXIF analysis, font/field validation.
Spend-gate: when changing the status "unknown age" → "pass" update CRM/PSP/aggregators.
Monitoring: alerts for re-registration/device/address matches.
Vendor QA: regular vendor tests (precision/recall, SLA).

11) KPI/KRI and dashboard

Age Pass Rate (auto/dock/manual).
Time-to-Verify (median/95th percentile).
False Accept/Reject.
Unknown-to-Pass Time (reg → full access).
Promo Suppression Integrity (% minors/unknown in promo = 0).
Auditability (% of cases with full package of artifacts).
Vendor SLA (response rate ≤ X sec/min).

12) Checklists

Before launch

  • Age threshold by market, sources and SLA agreed with Legal/DPO.
  • Login/login streams block access before PASS.
  • CRM/Ads/Affiliates are connected to suppression flags.
  • Vendor (s) set up, test cases (positive/negative/edge) passed.
  • Retention policy and instructions for masking docks published.

In operations

  • Daily check of Unknown→Pass, cancellation of suspended cases.
  • Selective reviews of manual solutions (≥ 10 %/quarter).
  • SLA Complaints and Appeals ≤ X days.
  • Synchronize statuses with game providers/PSPs.

Audit/Improvement

  • Quarterly A/B tests of copyright and registration steps (no security compromise).
  • Reconciliation of logs with reports to regulators.
  • CAPA for repeated incidents/comments.

13) Scripts and templates

A) Request for documents (neutral):
💡 To complete the access, confirm the age with the document (ID/Passport/Rights). You can hide optional fields according to the instructions. It helps us comply with the law and protect users.
B) Failure (below threshold):
💡 We cannot grant access because the age is below the legal threshold. The account is closed. Data will be deleted according to policy.
C) Appeal:
💡 If you believe there has been an error, please appeal and attach the document. We will respond by [date].

D) The answer to the question "why can't you play right away?"

💡 The law requires making sure users have reached the minimum age. It usually takes a few minutes after the document is uploaded.

14) Technical skeleton

Events:
  • `age_check_started`, `age_check_auto_pass/fail`, `docs_requested`, `docs_received`, `manual_review_pass/fail`, `age_pass_synced_to_crm/psp/games`, `marketing_suppressed`.
API:
  • `POST /kyc/age-check`, `POST /kyc/docs`, `GET /kyc/status`, `POST /kyc/decision`, `POST /crm/suppress-age`, `POST /affiliates/age-policy-ack`.
Storage:
  • At-rest encryption; EXIF stripping; artifact checksums; WORM logs.
Fiche flags:
  • `age. gate. required`, `age. docs. level2`, `ads. suppress. unknown`, `affiliates. enforce_age_filters`.

15) Frequent mistakes and prevention

Access before confirmation. → Hard pre-use gate.
"Unknown age" is included in the promo. → Default is suppress.
Weak document checks. → Liveness, face match, forensics.
Excessive data collection. → Minimize fields, mask unnecessary.
Long manual check. SLA →, queues, auto priorities, workflow bot.
Uncoordinated affiliates. → Contractual clauses, post-beck control, right to audit.

16) Regional cards (template)


Рынок: ______
Возрастной порог: 18+ / 21+
Допустимые источники: госреестр / банк / телко / документы
SLA: ack ≤ __ ч, решение ≤ __ дн
Отчетность: формат/частота
Особые требования: хранение локально, запрет биометрии и т.п.

17) 30-day implementation plan

Week 1

1. Approve thresholds and sources by market; DPIA.
2. Specify log/lock flows and data/log model.
3. Select/contract vendor (s) (registers/docks/telco/bank).

Week 2

4) Implement pre-use gate and API integration; set up CRM/Ads suppression.
5) Prepare copyright/locales, masking instructions.
6) Train CS/KYC; release scripts/FAQs.

Week 3

7) Pilot (5-10%): Pass Rate/TTVerify/False Reject metrics.
8) Tuning thresholds/timeouts/UX.
9) Checking affiliates and advertising offices for filters.

Week 4

10) Full release; dashboard KPI; daily monitoring of incidents.
11) Management report; CAPA on comments.
12) Plan v1. 1: add. sources (open-banking/telco), auto-prioritization of manual cases.

Related sections:
  • KYC procedures and inspection levels
  • AML policy and transaction control
  • Compliance Awareness/Code of Ethics
  • Responsible play and limits
  • Self-exclusion and account blocking
  • Reality Checks and Game Reminders
  • Regulatory reports and data formats
  • Internal and external audit/Audit checklists
Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.