Through a stipulation agreement with the Colorado Division of Gaming, Carousel Group, the operator of MaximBet, has been fined $80,000 for an error that allowed bettors from outside the state to place online sports wagers during a 16-day window in December.
According to the stipulation agreement — which was filed with the Colorado Limited Gaming Control Commission (LGCC) and unanimously approved by the commission Thursday — from Dec. 1 to Dec. 16, sports bettors were able to place wagers through the MaximBet website without being geolocated, which allowed wagers outside of Colorado, in violation of state law.
MaximBet self-reported the issue to the Division of Gaming on Dec. 23, after a bettor made a call to the operator’s customer service department Dec. 18, “because he was unable to place a wager due to a failed location check.” When informed that bets must be made in Colorado, the customer “responded that had not been an issue previously,” according to the stipulation agreement.
The customer service request triggered an internal investigation at MaximBet, which found “one high-probability case and four suspected cases” of bettors being able to place wagers outside of Colorado.
According to the stipulation agreement, MaximBet wrote to the Division of Gaming, “We discovered a technical conflict between our fraud management system and GeoComply system, which introduced an edge case scenario in which the back end system was not correctly verifying all GeoComply tokens, which had allowed one player to place bets without verification.”
MaximBet’s investigation, according to the agreement, found only customers using web browsers were able to place wagers without being geolocated, while its “apps remained functioning as expected.” MaximBet said 29 customers placed wagers without being geolocated during that time, but “believed they could reasonably eliminate 25 patrons whose IP addresses had an association with Colorado,” and that those customers had been geolocated in Colorado since MaximBet “implemented a permanent fix” to address the lapse in geolocation.
An investigation by the Division of Gaming, however, noted that MaximBet’s “analysis to determine the scope of the geolocation issues made the assumption that any patron who had placed a wager and been successfully in Colorado continued to place their wagers in Colorado during the system error” and that MaximBet “had no way to confirm this assumption.” Those bettors, even though they previously made wagers in Colorado, could have and may have made wagers outside of Colorado at any time during the 16-day window, because they were not being geolocated.
MaxmBet’s investigation identified four bettors who “could not be ruled out as placing bets outside of Colorado.” Those bettors had addresses from Hickory, North Carolina; Pittsburgh, Pennsylvania; the Bronx, New York; and Portsmouth, New Hampshire. The initial bettor who contacted customer support had the North Carolina address, but Division of Gaming investigators were not able to contact the individual despite “several attempts.” The bettors from Pittsburgh and New Hampshire spoke with Division of Gaming investigators and “confirmed they were in Colorado when they placed their sports betting wagers.” The New York bettor was not reached by Division of Gaming investigators.
The Division of Gaming investigation also found that the average number of geolocation transactions logged in November and December through the MaximBet website, outside of the 16 days where geolocation was disabled, was 416 per day, and that the average number of failed geolocation transactions per day during that time was 21. The Division of Gaming therefore contended that an estimated 336 failed geolocation checks during the 16-day period could have occurred.
In February, the Division of Gaming met with representatives from Odds On Compliance, which MaximBet had hired “to assist them with compliance issues.” The Odds On Compliance reps explained that MaximBet turned off geolocation through its website Nov. 30, then turned it back on Dec. 17, but the agreement stated “the only reason they knew the timeframe was from the geolocation data.” To this end, MaximBet “did not know who turned the [geolocation] off or why, as they were not conducting any testing or changes at the time.”
MaximBet previously indicated that the configuration was for “testing purposes only,” but admitted later it was only alerted to the issue because of the North Carolina bettor’s call to customer service. Federico Rocca, head of operations at Carousel Group, told the Division of Gaming that MaximBet “had not identified the person or reason [geolocation] had been switched off,” and said MaximBet has “user access controls in place, but the controls were not formally documented within their internal control procedures.”
MaximBet reported to the Division of Gaming on Feb. 15 that it would close accounts for the customers “who did not reside in Colorado [and were] identified as possibly placing bets outside of Colorado.” It also “retroactively” voided their wagering activity and refunded the customers’ losses.
In a letter to the LGCC, Carousel Group CEO Daniel Graetzer said, “We regret the technical misconfiguration in our sports wagering platform” and that the company holds “regulatory compliance as a top priority.” Graetzer also wrote that Carousel has “voluntarily undertaken an audit of our Colorado operations and controls, instituted a more rigorous change management process, increased staffing in our compliance department, and updated our internal controls.”
In a statement, GeoComply said, “As verified through [the Division of Gaming’s] investigation, the technical integrity of our systems was not an issue. We have, however, collaborated with [MaximBet] to support updates to their internal controls and other corrective measures that address the underlying issue.”
Along with the $80,000 fine, which was based on a rate of $5,000 per day of violation, Carousel agreed to have its sports betting platform “re-certified by an independent testing laboratory approved by the Division [of Gaming],” to review its “user access controls to log system changes affecting production and test platforms,” to “audit their internal controls and submit proposed changes to the Division to address compliance issues,” and to comply with Colorado’s laws and regulations going forward.
“MaximBet takes regulatory compliance very seriously, which is why the moment we became aware of the issue, we immediately stopped accepting wagers and self-reported to the regulator,” said Doug Terfehr, Carousel’s vice president of marketing, in a statement. “Since the discovery, we voluntarily and successfully re-certified our platform to ensure full compliance, and in partnership with the regulator, completed a full audit of our systems to prevent this from reoccurring.”
Failure to comply with the conditions of the agreement will require an appearance before the LGCC “to show cause why further judgment and discipline should not be imposed,” which would have the maximum penalty of “revocation or suspension of licensing privileges” and a $25,000 fine for each charge of violation.