Bonus-abuse and financial protection

1) What is bonus-abuse and why is it a financial problem

• Direct losses: cost of bonus, free spins, promo fees/FX, CB/Refund.
• Distortion of metrics: inflated AR/MAU, false uplifts.
• Payment risks: "carousels" depozit→vyvod, chargeback-farming.
• License risks: violations of RG/KYC/AML, misleading promotions.

2) Taxonomy of abuse (patterns)

1. Stacking - multiple bonuses per person/household/device/payment token.
2. Net-deposit loops - deposit for the sake of bonus → minimum rates → withdrawal or chargeback.
3. Hedging/Arbitrage - bets in interconnected markets/games to "close" the risk.
4. High-RTP cherry-picking is a title-only game with a high WR contribution.
5. Method arbitrage - cheap deposit method → expensive/fast output corridor.
6. FX arbitration - speculation on the exchange rate difference between deposit and withdrawal.
7. Multi-accounting - clones with reuse of devices/networks/means of payment.
8. Chargeback farming - bonus play, then deposit return via dispute/chargeback.
9. KYC-evasion - targeted bypass of SoF/SoW, country substitution (VPN/Proxy/SIM).

3) Financial protection (policy core)

ND (Net Deposits) -gate: participation/payments at'ND ≥ 0 '(or threshold'ND ≥ θ').
Same-method/Return-to-source: output to the ND amount - only to the deposit source.
Payout-locks: inhibit/restrict output on an active bonus until WR is executed and violations are checked.
WR & Contribution%: transparent wagering rules (BONUS-ONLY or BONUS + DEPOSIT) and weight by game category.
Max bet at WR: absolute limit or bonus share (for example, '≤ 5 EUR' or '≤ 10% bonus').
One-per constraints: по person/household/device/payment_token.
Game/risk exclusions: prohibition of "buying freespins," jackpots, abnormally high RTP titles.
Velocity caps: limits on the frequency of deposits/withdrawals/failed payments.
Rolling-reserve/holdbacks: insurance buffer on partners/sub-merchants and for high-risk players.
FX policy: fix the reference rate on the bonus grant; monitor slippage during payout.

4) Risk signals (payment and behavioral)

Payment: BIN-geo ≠ KYC-country, frequent soft-declines, new tokens in a row, card/wallet, well-known "high-risk" issuers.
Device/Network: device-graph matches other accounts, shared IP/ASN/VPN/hosting.
Behavior: only high-contrast games, instant output after min-deposit, repetition of WR violations.
Geo: KYC≠IP≠SIM, abnormal geo-velocity.
Docs: suspicious KYC/POA/SoF (low quality, patterns, reuse).
FX: deposits in "weak" currency, conclusions in "strong," temporarily high spread.

Risk scoring: linear model/GBM with features by blocks (Payment/Device/Behavior/Geo/FX), calibration of thresholds for step-up (KYC/Liveness/SoF) and deny.

5) Policy engine

Idempotence: payment_token/household/device grant disposability.
"Before deposit" rules: eligibility by GEO/KYC/ND/one-per.
"After deposit" rules: grant activation, max bet, WR, game-mix, timer.
Rules "on output": same-method, ND-cut, SoF/SoW step-up, hold/deny.
Audit: rule version, reasons, evidence (for appeals and regulator).

6) Playbook incident

1. Abuse wave (stacking): immediate freeze of this campaign's grants, WR recalculation, selective SoF, token/households banding.
2. Chargeback surge: enable 3DS-step-up, tighten same-method, increase hold on leads and PSP reserve.
3. FX arbitration: temporarily limit cross-currency conclusions and introduce spread-guard.
4. Method arbitrage: close "expensive" corridors for ND-negative, enable return only to the source.

7) Law, RG and Privacy

Terms & Promo T&C: short version in check-out, full - in profile; localized.
RG: self-exclude/limits - bonuses are not available; cooling-off resets active grants.
KYC/SoF: data minimization, explicit consent, retention policies, DPA.
Sanctions/licenses: whitelists of countries, bans on types of promos in specific jurisdictions.

8) Data and model (minimum)

sql
-- Игрок и атрибуты риска risk.player_signals (
user_id PK, risk_score NUMERIC, nd_total NUMERIC, nd_30d NUMERIC, nd_7d NUMERIC,
kyc_level TEXT, geo_ip TEXT, geo_kyc TEXT, geo_sim TEXT,
device_hash TEXT, household_id TEXT, payment_token_last TEXT,
fx_profile JSONB, updated_at TIMESTAMP
);

-- Гранты бонусов и прогресс/нарушения bonus.grants (
grant_id PK, promo_id, user_id, deposit_tx_id, currency,
bonus_amount NUMERIC, granted_at TIMESTAMP, expires_at TIMESTAMP,
status TEXT -- ACTIVE    FORFEITED    COMPLETED    EXPIRED    FROZEN
);
bonus.wr_progress (
grant_id, user_id,
turnover_slots NUMERIC, turnover_tables NUMERIC, turnover_live NUMERIC,
turnover_total NUMERIC, required_total NUMERIC, updated_at TIMESTAMP
);
bonus.violations (
id PK, grant_id, user_id, type TEXT, severity TEXT, details JSONB, occurred_at TIMESTAMP
);

-- Нетто-депозиты и разрез по методам finance.net_deposits (
user_id, currency, nd_total NUMERIC, nd_by_method JSONB, updated_at TIMESTAMP
);

-- Выводы и причины hold/deny payout.requests (
payout_id PK, user_id, method TEXT, currency TEXT, amount NUMERIC,
nd_snapshot NUMERIC, same_method_ok BOOLEAN, risk_score NUMERIC,
status TEXT, reason_code TEXT, created_at TIMESTAMP, decided_at TIMESTAMP
);

9) Pseudo-DSL rules

yaml policy: "bonus_abuse_v4"
eligibility:
geo_whitelist: [DE, AT, FI]
kyc_min: L1 nd_min: 0 one_per: [person, household, device, payment_token]
deny_if:
- sanctions_hit == true
- risk_score >= 0.85 grant:
max_bet_amount:
EUR: 5 wagering:
base: BONUS_ONLY multiplier: 30 contrib:
slots: 100 tables: 25 live: 10 game_exclusions: [JACKPOT, BUY_BONUS]
controls:
payout_lock: UNTIL_WR_DONE same_method: true allow_nd_withdrawal: true fx_spread_guard_bps: 80 method_arbitrage_block: true escalations:
- if: nd_7d < 0 then: "deny_new_bonus"
- if: device_household_overlap >= 2 then: "manual_review"
- if: cb_rate_30d > 0.8% then: "hold_payout_48h"
audience:
exclude_segments: ["self_excluded", "high_risk_bin"]

10) SQL templates

10. 1. ND-gate and same-method on output

sql
SELECT r.payout_id,
(nd.nd_total >= 0) AS nd_non_negative,
(t.method = r.method AND t.payment_token = r.payment_token) AS same_method_ok
FROM payout.requests r
JOIN finance.net_deposits nd ON nd.user_id = r.user_id AND nd.currency = r.currency
JOIN dw.transactions_flat t ON t.tx_id = (
SELECT deposit_tx_id FROM bonus.grants
WHERE user_id = r.user_id AND status IN ('ACTIVE','COMPLETED')
ORDER BY granted_at DESC LIMIT 1
)
WHERE r.status='PENDING' AND r.created_at BETWEEN:from AND:to;

10. 2. Detection household/device overlap

sql
SELECT suspect.user_id, base.user_id AS overlap_with, suspect.device_hash, suspect.household_id
FROM risk.player_signals suspect
JOIN risk.player_signals base
ON suspect.user_id <> base.user_id
AND (suspect.device_hash = base.device_hash OR suspect.household_id = base.household_id)
WHERE suspect.updated_at > now() - INTERVAL '30 days';

10. 3. Max-bet and game-mix violations

sql
SELECT b.user_id, b.grant_id,
SUM(CASE WHEN b.amount > l.max_bet_amount THEN 1 ELSE 0 END) AS maxbet_viol,
100.0 SUM(CASE WHEN game_category='slots' THEN b.stake ELSE 0 END)
/ NULLIF(SUM(b.stake),0) AS slots_share_pct
FROM dw.bets b
JOIN bonus.session_limits l USING (grant_id, user_id)
WHERE b.placed_at BETWEEN:from AND:to
GROUP BY 1,2
HAVING SUM(CASE WHEN b.amount > l.max_bet_amount THEN 1 ELSE 0 END) > 0
OR 100.0 SUM(CASE WHEN game_category='slots' THEN b.stake ELSE 0 END)
/ NULLIF(SUM(b.stake),0) >:one_game_share_max;

10. 4. Chargeback-post-bonus monitoring

sql
SELECT method,
10000.0 SUM(is_chargeback::int) / NULLIF(COUNT(),0) AS cb_bps_14d
FROM risk.outcomes o
JOIN dw.transactions_flat t USING (tx_id)
WHERE o.occurred_at BETWEEN (CURRENT_DATE - INTERVAL '14 days') AND CURRENT_DATE
AND EXISTS (SELECT 1 FROM bonus.grants g WHERE g.deposit_tx_id=t.tx_id)
GROUP BY method
ORDER BY cb_bps_14d DESC;

10. 5. FX-slippage in promo

sql
SELECT g.promo_id,
SUM(fx_effective - fx_reference) 10000.0 / NULLIF(SUM(amount_reporting),0) AS fx_slippage_bps
FROM dw.transactions_flat t
JOIN bonus.grants g ON g.deposit_tx_id=t.tx_id
WHERE t.settled_at BETWEEN:from AND:to
GROUP BY 1;

11) KPI and dashboards

Abuse Rate: Proportion of grants with violations/investigations.
WR Completion % / Time-to-WR (p50/p95).
ND Gate Hit% and proportion of ND <0 among participants.
Chargeback After Bonus (bps) by Method/PSP/geo.
Payout Hold Share and medium TAT solutions.
FX Slippage (bps) by promo/currency.
Promo Liability (liability) and Breakage%.
Household/Device Overlap Index (clustering).

12) Alerts and thresholds

Abuse Spike: рост `violations/100 grants` > X d/d.
CB Surge Post-Bonus: cb_bps_14d by method/geo> threshold.
ND Negative Share ↑: ND share <0 among withdrawal requests> Y%.
Max-Bet Burst: Spike in violations> threshold by brand/title.
FX Anomaly: slippage_bps> currency pair limit.
Household Bloom: A large new cluster of devices/addresses.
Policy Drift: grants without a fixed version of the rules/consents.

13) UX patterns (no "burn" conversion)

Short conditions card on the deposit screen (min dep, WR, max bet, same-method).
WR-progress-bar + deadline, contribution by category.

Explanation of ND/conclusions: "Up to the amount of net deposits - only to the source."

Soft step-ups: SoF/selfie on signal; transparent deadlines.
Appeals: "challenge" button with a checklist of documents.

14) A/B protection tests

What to test: 'nd _ min', 'max _ bet', 'WR multiplier/base', 'one _ per' -strategies, 'fx _ guard'.
Guardrails: CBR bps, Abuse Rate, AR/Take-Rate, Payout TAT.
Method: stratification by GEO/BIN/method, CUPED by pre-behavior, lag on CB/conclusions.

15) Implementation checklist

• ND model and cross-section by methods; same-method/return-to-source в payout.
• Promo DSL + rule validator, versions and audits.
• Max bet, WR, contrib%, exclusions; velocity limits.
• Device/household graph; BIN geo/FX profiles.
• Risk scoring + step-ups (KYC/SoF) and deny threshold.
• Hold/Reserve mechanics on leads and PSP.
• KPI dashboards and alerts; incident playbooks.
• Legal texts (locale), RG gates, consents and retentions.
• Appeals process and manual decisions with SLAs.
• A/B with strict guardrails and data frieze.

Resume Summary

Effective protection against bonus-abuse is a system, not a set of prohibitions: ND control and same-method on payments, strict WR/max-bet and contrib%, Payment/Device/Behavior/FX signals, risk scoring with step-ups, transparent UX and legal purity. Such a stack reduces direct losses, stabilizes P&L and preserves an honest experience for conscientious players - without unnecessary friction and "false positives."