Free Demo
  • Linkedin
  • Twitter
  • Youtube

Daon named a Leader in the 2025 Gartner® Magic Quadrant™ for Identity Verification: READ MORE

Connect with a Daon solutions expert

Let us know how we can assist you

  • Product/Solution Information
  • Product Demonstration
  • Request for Proposal
  • Partnership Opportunities

See why many of the world’s strongest brands chose Daon to help them build lasting trust with their customers.

Why Sports Betting’s Identity Problem Goes Far Beyond Age

Sports betting’s identity problem extends far beyond age verification. Minors are accessing platforms through account sharing, proxy identities, and synthetic fraud that a birthday check at onboarding was never designed to catch. Operators need continuous identity verification combining document validation, liveness detection, and ongoing authentication to confirm the person placing bets is the same one who enrolled.



 

The headlines are easy to find. A 16-year-old in Arizona places bets using his father’s DraftKings account. A minor in Tennessee operates a sportsbook account for months before triggering a fraud flag. Across Ohio, regulators have catalogued hundreds of suspected underage accounts responsible for millions in flagged wagers. State gaming commissions are demanding quarterly public disclosures. Enforcement posture is tightening.

And yet, the conversation in most compliance circles still centers on age verification — as if confirming a date of birth is the hard part.

It isn’t. The hard part is confirming a person.

Online sports betting has a structural identity problem, and age estimation is only one symptom of it. Operators who treat age verification as a discrete compliance checkbox — something to clear at account creation and revisit only when a regulator asks — are solving for the wrong variable. The fraud patterns emerging across regulated U.S. markets make the case plainly: the industry needs a complete identity verification process, one in which age estimation plays an important role but cannot carry the full compliance load alone.

What Regulators Are Actually Asking For

Age verification in gambling is not a birthday prompt. Under the regulatory frameworks governing licensed operators in the United States and internationally, it is a mandatory, multi-layered process touching Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations simultaneously.

The baseline requirement in most jurisdictions is document verification: players must submit a government-issued photo ID — a driver’s license, passport, or state-issued card — from which AI-powered systems extract and validate the date of birth in real time. That document is then cross-referenced against identity fraud watchlists, government ID databases, and the personally identifiable information the user provided at registration. Name, date of birth, address, and identification number must align. Discrepancies trigger rejection or escalation.

Layered on top of that are AML obligations that extend well beyond age. Source of funds, sanctions screening, politically exposed persons lists, and responsible gaming flags all fall within the compliance perimeter. Legal age thresholds vary by jurisdiction — 18 in some states, 21 in others — adding complexity for operators running multi-state or international platforms.

The regulatory environment, in other words, is not asking operators to confirm a birthday. It is asking them to confirm a person, verify that person’s eligibility, and maintain ongoing assurance that the person transacting is the same one who enrolled.

Three Ways Minors Are Getting Through

The fraud typology that has emerged from state regulator disclosures and investigative reporting breaks into three documented patterns, each of which exposes a different gap in verification architecture.

The most common is account sharing. A minor accesses a parent’s or relative’s existing account — sometimes with consent, more often without it. The account already passed verification at enrollment. Nothing in a standard KYC process flags the transfer of access after the fact. The identity on the account is legitimate. The person using it is not.

The second pattern involves proxy identity use. A minor operates under a trusted adult’s credentials, presenting that adult’s documentation during a verification step. Without liveness detection — technology that confirms a live human is present and matches the identity document — document verification alone cannot catch this. A photo of a parent’s license, held up to a camera, is not the same as a verified identity. The distinction matters enormously.

The third is the most serious: full synthetic or stolen identity fraud. Minors have been documented using deceased individuals’ Social Security numbers and entirely fabricated identity packages to create and operate accounts. This is not opportunistic. It is organized fraud, and it requires multi-layer identity verification to detect — not a single document check.

These are not edge cases or theoretical attack vectors. They are documented patterns across multiple states, filed with regulators, and in some cases referred to law enforcement. What the reports capture is only what surfaces. The rest doesn’t generate a regulatory filing.

Age Estimation Is a Capability, Not a Complete Solution

AI-driven age estimation — using facial biometrics to assess a user’s apparent age — is a genuine and valuable tool. It can function as a real-time signal during onboarding, a supplementary check when document data is ambiguous, and a friction point that catches mismatches before they become compliance events. It belongs in the verification stack.

It does not, however, replace the process around it. Operators who deploy age estimation as a standalone feature are solving for one attack vector while leaving the others documented above wide open. A minor using a deceased person’s Social Security number won’t be stopped by a facial age check. A 17-year-old accessing a parent’s account on a verified device won’t trigger an age estimation flag if the session looks behaviorally consistent with prior use.

A complete identity verification process in the gambling context requires several interlocking capabilities. Document verification — AI-powered validation of government-issued ID, including tamper detection, hologram analysis, and barcode cross-referencing — establishes the foundation. Liveness detection confirms that a live human is present at the point of verification and that the face matches the document, blocking photo substitutions, video replays, and increasingly sophisticated deepfake presentation attacks. Age estimation adds a biometric layer that can flag discrepancies between apparent age and claimed identity. And ongoing authentication — verifying that the person who enrolled is the person placing bets — addresses the account-sharing vulnerability that document checks at onboarding were never designed to catch.

Each layer addresses what the others cannot. That is the point of layering them.

The Business Case for Getting This Right

Compliance investment in identity verification is sometimes framed internally as a cost of doing business — a regulatory tax on customer acquisition. That framing underestimates the exposure on the other side of the ledger.

Regulatory penalties for compliance failures are increasing. State gaming commissions are mandating quarterly public disclosures of underage access incidents, and enforcement referrals to district attorneys are becoming more routine. The operators most visibly associated with underage betting incidents are also the ones fielding the most pointed questions from legislators evaluating whether the current regulatory framework is working.

Reputational exposure is asymmetric. A single documented case of a minor accumulating thousands in wagers on a platform generates press coverage that no compliance investment ever will. In an industry still negotiating its social license in many jurisdictions, that coverage carries weight.

There is also a customer trust dimension that extends beyond minors. Bettors — of legal age — are increasingly aware of how platforms handle identity. An operator that can demonstrate verified, trustworthy account management is better positioned to retain high-value customers and defend against account takeover fraud, which affects legal users at significant scale.

Finally, operators running multi-state platforms face a verification complexity that point solutions were not designed to handle. Age thresholds, document requirements, and regulatory frameworks vary across jurisdictions. Managing that complexity through a patchwork of individual tools is neither efficient nor auditable. A platform-level identity verification architecture — one that orchestrates document verification, liveness detection, age estimation, and ongoing authentication within a single, configurable workflow — is what compliance at scale requires.

Identity Verification as an Ongoing Commitment

The instinct in the industry has been to treat identity verification as a gate: something you clear at account creation and return to only when a regulator or a fraud alert forces the issue. The documented fraud patterns say otherwise.

Account sharing happens after enrollment. Synthetic identities are designed to pass initial verification. Behavioral anomalies that signal a different person is operating an account accumulate over time, not at the moment of sign-up.

The operators who build durable compliance programs will treat identity verification as a continuous process — present at account creation, at deposit, at withdrawal, at high-value wager, and whenever behavioral signals suggest the account may no longer be in the hands of the person who verified it. That posture doesn’t just satisfy regulators. It builds the kind of verified, trusted customer base that is increasingly difficult to acquire under growing legislative scrutiny.

Age verification is where the compliance conversation in sports betting tends to start. Identity verification is where it has to go.