Over the last six months, dozens of college and professional athletes have found themselves in hot water for violating league policies by wagering on sports.
The infractions have ensnared athletes at two major Iowa universities, placing their collegiate careers in jeopardy. In the professional ranks, suspensions have cost NFL players millions of dollars.
A cutting-edge tool that provides regulatory and compliance solutions through an encrypted, cross-monitoring platform may help prevent such problems in the future. Launched in April, Prohibet offers “one-stop shopping” for regulators, sportsbook operators, and leagues in detecting gambling activities among athletes.
In the last month alone, the UFC, two major sportsbook operators, several collegiate conferences, and a university in the Atlantic Coast Conference have partnered with Prohibet for enhanced sports wagering monitoring resolutions. The product officially went into use on Sept. 1, as prior to that it was in a beta-pilot phase.
At the moment, Prohibet is one of the sports betting industry’s only comprehensive solutions that monitors prohibited bettor activity, according to the company. From a regulatory standpoint, there has been widespread support for the product, said Matt Heap, managing director of Prohibet, in an interview with Sports Handle. In June, Heap held a call with around 130 regulators from numerous states across the country.
In most cases, sportsbook operators have likely conducted their due diligence to determine if bettors under scrutiny were also prohibited from wagering, Heap notes. But until now, in his view, there has not been a commercially reasonable product like Prohibet to serve as a check with the expansive databases maintained by the operators.
“It’s going to be great for the industry in putting that force field up,” Heap said.
As the threat of large-scale cyber intrusions proliferates, the importance of protecting a bettor’s Personal Identifiable Information (PII) has become increasingly critical. But when it comes to flagged betting incidents, balancing data protection with the need to conduct a thorough, speedy investigation may require high-wire dexterity. A ubiquitous, high-tech clearinghouse such as Prohibet could deliver the solution.
Suspensions in the NFL
Every major U.S. pro sports league has restrictions in place that bar athletes from wagering on their own sport. The NFL also has a zero-tolerance policy for gambling in the workplace, although that’s not the case in all leagues.
In the NBA, for instance, a player from the Minnesota Timberwolves would be prohibited from placing a prop on the first player to sink a 3-pointer in a Lakers-Clippers game. There are no restrictions, however, on the NBA player being able from his locker to wager on the winner of The Masters.
In the NFL, once a player enters a league facility, there is a blanket policy that prohibits him from betting on any sport. The players are also restricted from engaging in other forms of gambling such as online poker and blackjack.
When asked last week how the NFL views the commercialization of legal sports betting, Commissioner Roger Goodell responded that protecting the integrity of the game is the league’s utmost priority. That was several weeks after Goodell commented that the league’s policies regarding sports betting “will evolve” in the wake of a rash of player suspensions during the 2023 offseason. Since mid-April, nearly a dozen NFL players have been suspended for gambling-related violations, most notably former Indianapolis Colts defensive back Isaiah Rodgers Sr.
Rodgers, who apparently apologized to teammates for his gambling transgressions, reportedly placed hundreds of wagers on sports, including many from his locker at the Colts’ practice facility, a source told Sports Handle. In one notable case, according to ESPN, Rodgers placed a $1,000 wager on a former teammate to hit the over on a rushing yardage prop in a 2022 game.
Prohibet’s system contains real-time alerts that allow for potential regulatory and sports league violations to be addressed proactively and swiftly, according to the company. The collaborative solution may result in greater transparency in assessing potential policy infractions. In turn, some prohibited bettors who engage in rampant wagering violations could be caught before their gambling habits spiral out of control.
On the operator side, top sportsbook brands such as DraftKings, FanDuel, BetMGM, and Caesars Sportsbook have yet to indicate if there is interest in partnering with a third-party prohibited bettor solution.
— For The Win (@ForTheWin) June 30, 2023
Although some form of sports betting is legal in more than 30 states, hardly any states compel the leagues to share a list of prohibited bettors. Nearly all state laws, however, list college and professional athletes and those associated with college and professional teams as being prohibited from betting. The lists can be used as an enforcement tool against certain gamblers who are excluded from wagering on sports.
In Colorado, where Heap once served as the division of gaming’s head of sportsbook operations, a prohibited sports betting participant includes “any person who is an athlete, coach, referee, or player,” in an event overseen by that “person’s sports governing body.”
There are also detailed regulations covering prohibited sports bettors in Ohio and Michigan. In the Buckeye State, which launched online sports wagering in January, a sports governing body must have a procedure for providing the Ohio Casino Control Commission with a “list of persons who are involved in sporting events.” Most states have language with definitions of “prohibited bettors.”
The rash of player-gambling incidents this year has shined a light on potential enforcement gaps in the system. When conducting an investigation into possible sports wagering violations, regulators have the tools to “forensically” examine the cases, an industry source told Sports Handle. The challenge in the past has been to convince every single sports league to share the lists with regulators. As a result, it has become even more important to find an encrypted solution that the “leagues can trust,” he emphasized, while alluding to Prohibet.
— David Payne Purdum (@DavidPurdum) August 24, 2023
“You can’t just give out Tom Brady’s personal information,” U.S. Integrity founder Matt Holt told Sports Handle in May. US Integrity launched Prohibet in conjunction with Odds on Compliance, a Florida-based consultant that specializes in sports betting, iGaming, and gambling compliance issues.
If a professional athlete places a wager on an event in their own league, some states have provisions requiring the sportsbook that detects the wager to report the activity to the gaming regulator. Citing privacy concerns, some professional sports leagues have been reticent to share the prohibited bettor lists with the states. This spring, Iowa Racing and Gaming Commission Administrator Brian Ohorilko told Sports Handle that the NBA is the only pro sports league that has provided that type of list to the state.
Furthermore, cross-referencing between various databases is not necessarily as easy as it seems. During the 2021 NFL Draft, for example, the Jets selected Michael Carter, a running back from the University of North Carolina, in the fourth round. A round later, the Jets took Michael Carter, a defensive back from Duke with the No. 154 overall selection. It is uncommon for two players with the same legal name to suit up for one team, but it can create confusion.
ProhiBet has plans to launch at the start of football season. Its technology will provide an encrypted clearinghouse for non-voluntary exclusion lists and solve the problem of privacy issues that leagues are now grappling with, writes Jill Dorson.https://t.co/FTskirV9a6
— Sports Handle (@sports_handle) May 10, 2023
When attempting to determine a match, investigators can use a litany of inputs ranging from a user’s first and last name, to their phone number, and address, to driver’s license number, Social Security number, and email for identification purposes. Even then, there could be discrepancies that complicate the investigatory process.
As a case in point, the aforementioned Jets running back may be listed as “Michael Carter” in a league database. Hypothetically, if someone with that name opens a mobile sports betting account, there is the possibility he will list “Mike,” instead of “Michael,” when completing the registration process. In that instance, there will be “no match” between the databases from the league and the operator. In more nefarious cases, the inputs will not match if the league has one email listed for a player and the player deliberately uses a friend’s email to open a sports betting account.
This is where Prohibet comes in. Prohibet’s system contains a robust data security framework that may give some leagues comfort when facing difficult questions surrounding data protection.
An encryption tool, known as “cryptographic hashing,” provides an added layer of protection when concerns arise that closely guarded personal data may end up in the wrong hands. With hashing, you can convert a recognizable name (i.e. LeBron James or Patrick Mahomes) to an anonymized code (e95e5947ab or 18f465b72). In layman’s terms, think of hashing as a way to transform a distinguished likeness to a string of characters as a method of securing information.
Tip to make your developer life easier 💡
Hashing and encryption are two different cryptographic functions which you can use to secure information. In this article we explain them and give examples on how you can use it.https://t.co/jArlj5xWl1#developer #ecommerce #Tips pic.twitter.com/4F8kmfkG7M
— Hypernode (@Hypernode_com) January 21, 2022
Prohibet relies on various PII fields to identify potential matches between sports bettors and prohibited individuals. As part of the process, sensitive personal data such as a driver’s license ID or the last four digits of a player’s Social Security number never leave a league server. From there, all of the data is encrypted and is converted into a tag that is known as an “indecipherable slug.” Prohibet will detect a match when the slug from the league server is the same string of characters as the slug from the sportsbook operator’s app.
When Prohibet receives the coding on its detection server, the corresponding slug from a player’s driver’s license will already be converted to an anonymized tag. For argument’s sake, let’s say the slug from the league server reads: “5c1uu45az837.” At the same time, the detection server will receive anonymized data from a flagged betting incident provided by a sportsbook. If the slug of the driver’s license provided by the operator also reads “5c1uu45az837,” there is a match.
The data on the detection server (Prohibet) is “one-way hashed,” and not detectable in any way, the company explains. Moreover, leagues that partner with Prohibet will have an independent encryption key. Those keys are stored on a separate server for another layer of protection, according to Prohibet.
The matching system is also segmented with separate categories on potential incidents, confirmed incidents, and resolved ones. A user can log on to the portal to receive an indication if there is a 50-50 likelihood that a potential incident may rise to a confirmed one, or if the probability is much higher with a matching confidence of around 97%.
Interest from the leagues
In the wake of the allegations against Rodgers, the former Colts defensive back, the NFL held a 45-minute conference call on a bevy of sports gambling matters in June. Weeks earlier, the league enlisted Tom Brady to deliver a responsible gaming video to NFLPA members emphasizing their role in maintaining the integrity of the sport. When she was asked about the league’s potential interest in sharing the exclusion lists with regulators, NFL Chief Compliance Officer Sabrina Perel said it is fair to conclude that the issue is foremost on the minds of regulators in many states.
In addition, she noted that the NFL continued to examine the issue, while taking into account privacy concerns. Since then, the NFL has not provided an update on any discussions with state regulators as it relates to the prohibited bettor lists.
Data privacy is also foremost on the minds of regulators in Massachusetts. Last December, the Massachusetts Gaming Commission adopted a set of emergency privacy and security requirements weeks before the launch of retail sports betting. The regulations align the MGC’s policies with the state’s data protection principles, which are among the most stringent in the nation. Within the regulations, a sportsbook operator must use “commercially reasonable standards” to confirm that a person who attempts to create a sports betting account “is not a prohibited person.”
MGC on track to launch the most comprehensive data privacy reg we've seen in the US…the problem is that operators are saying the timeline to implement that policy is unrealistic and they need an extension.
— Jessica Welman (@jesswelman) August 24, 2023
Some of the compliance standards in the regulation mirror a number of privacy requirements in the European Union’s General Data Protection Regulation (GDPR), according to a legal update from Eckert Seamans Cherin & Mellott LLC in February. Any type of personal identifiable information, including passwords, PINs, and other authentication credentials, is subject to this regulation, the authors of the memo wrote.
A separate Massachusetts regulation has a more narrow focus on data sharing, data use, and retention. Both of the regulations have been promulgated and filed with the Secretary of the Commonwealth’s office, an MGC spokesman told Sports Handle. However, the commission received and granted a waiver for all operators on the data privacy regulations until Nov. 17. Next week, the MGC will host a roundtable on the subject with the Massachusetts Attorney General’s Office and other stakeholders, he added.
Possible hurdles to overcome
A lobbyist from a major pro sports league told Sports Handle that there may be interest in exploring a partnership with Prohibet down the road if the platform proves to be a trusted solution.
Since Prohibet emerged out of beta testing less than two weeks ago, it is still too early to tell whether the product will receive large-scale implementation throughout the industry. In spite of dogged efforts to encrypt the PII of participating athletes, the company will likely need to navigate through a patchwork of state laws and regulations on data privacy.
One interpretation, according to a legal source, is that the sharing of a “hash,” even with anonymized coding, may run afoul of data privacy laws in some states. Still, the outliers may only serve as a minor impediment.
Down the road, one of the next incarnations of the prohibited bettor solution could incorporate a geolocation component. The opportunities for expanding the platform into areas such as anti-money laundering protection are vast, Heap notes. For his part, Heap indicated that the product has received support from a number of disparate stakeholders across the industry.
From a consumer protection standpoint, Prohibet’s cross-monitoring solutions may help tackle the prohibited bettor conundrum that has challenged industry stakeholders for the last several years.
“This was going to be an issue that had to be addressed — there just hadn’t been a product that had gone to market to fill that void,” Heap said.
“To me, it’s the missing link in the proverbial force field of the legalized sports betting market — to cover that integrity piece that quite frankly was completely void, or at least woefully insufficient.”