All Slots Logo
Registration Sign in

Glossary

Last updated: 24-03-2026

Fraud prevention and payment security in iGaming sit at an intersection that determines not only operator profitability, but fundamental regulatory survival — especially under New Zealand's incoming online casino licensing regime. The Online Casino Gambling Bill establishes strict expectations for operators who offer online casino gambling to New Zealand residents, heavily emphasizing consumer protection, harm minimisation, and financial integrity. It requires robust mechanisms to prevent money laundering, intercept underage gambling, and stop the exploitation of payment networks. This regulatory mandate is not merely a suggestion — it is a structural requirement that every operator entering the NZ market must integrate into their core payment flows. My role as a Fraud & Risk Analyst is to map these vulnerabilities systematically: identifying which payment methods carry inherent chargeback risks, how synthetic identities penetrate onboarding flows, and where the Department of Internal Affairs (DIA) and the Financial Intelligence Unit (FIU) expect to see rigorous Enhanced Due Diligence (EDD). The operators who engage with this analysis carefully will build resilient, profitable platforms. Those who treat payment security as an afterthought will eventually discover that the DIA's enforcement toolset, combined with the stringent requirements of the AML/CFT Act, is unforgiving toward platforms that become conduits for financial crime or friendly fraud.

What foundational payment and risk terms does every New Zealander need before evaluating iGaming security?

Term What it means Security integration and NZ regulatory dimension
Chargeback (Friendly Fraud) A forced reversal of a credit/debit card transaction by the player's issuing bank, often falsely claiming the transaction was unauthorised Chargebacks are a primary vector of financial loss in iGaming. In the NZ market, where major banks (ANZ, ASB, BNZ, Westpac) heavily scrutinise gambling transactions, operators must deploy 3D Secure (3DS2) to shift liability back to the issuer. High chargeback ratios not only drain revenue but can result in the operator losing their merchant processing facilities entirely, rendering them unable to operate under their DIA licence
AML / CFT Act Anti-Money Laundering and Countering Financing of Terrorism Act 2009 This is the bedrock of financial compliance in New Zealand. Casinos are reporting entities under the Act. Operators must conduct customer due diligence (CDD), monitor accounts for suspicious activity, and submit Suspicious Activity Reports (SARs) to the NZ Police Financial Intelligence Unit. Failure to implement robust AML controls is a direct path to losing a DIA operating licence
Closed-Loop Payments A security protocol requiring players to withdraw funds only to the exact same payment method they used to deposit This is an essential AML control. If a player deposits $500 via Visa, they cannot withdraw it to a newly added Skrill account. This prevents the platform from being used as a currency exchange or money laundering vehicle. In NZ, exceptions to this rule (e.g., when a deposit card expires) require manual risk review and explicit proof of ownership for the new withdrawal destination
Source of Funds (SOF) Documentary evidence proving where a player's gambling money originated (e.g., salary, inheritance, sale of property) Triggered by specific deposit thresholds or erratic betting patterns, SOF checks are a critical Enhanced Due Diligence (EDD) measure. The DIA expects operators to intervene if a player's spending is disproportionate to their known income. This bridges the gap between AML compliance (preventing dirty money) and Responsible Gambling (preventing players from gambling beyond their means)
Device Fingerprinting Tracking unique hardware and software configurations (IP, browser, OS, screen resolution) to identify a user's device Essential for detecting multi-accounting, bonus abuse, and self-exclusion evasion. If a player self-excludes from a DIA-licensed platform, they will often try to return using a new email and fake ID. Device fingerprinting allows the risk engine to recognise the physical device and block the synthetic account before a deposit is even attempted
Velocity Limits Automated restrictions on the frequency and volume of transactions within a specific timeframe Velocity checks prevent "card testing" (where fraudsters test lists of stolen credit cards using small deposits) and account takeovers (where a hacker tries to drain an account rapidly). A sudden spike of 5 failed deposit attempts from a New Zealand IP address within 60 seconds should automatically lock the cashier and trigger a manual review

The foundational terms above clarify a point that operators frequently underestimate: risk management is not just about stopping bad actors; it is about satisfying regulatory mandates. The DIA and FIU do not accept "we didn't know" as a valid defense when illicit funds flow through a platform. A stolen credit card used to fund an account is not just a commercial loss via chargeback; it is a failure of the KYC and velocity screening systems. A self-excluded player managing to create a new account is a failure of device fingerprinting and identity resolution. Every payment and risk decision in the NZ market must start with this question: does our system architecture natively detect, pause, and review anomalous behaviour before the funds settle? If it relies entirely on manual post-transaction reviews, it is not fit for purpose under a strict licensing regime. Starting from proactive, automated risk scoring produces a much cleaner compliance record than relying on reactive damage control.

FRAUD & RISK SECURITY STACK: NZ OPERATOR Real-time Detection Architecture · Compliance-First Integration (2026) LAYER 6: DEVICE & BEHAVIOURAL INTERFACE Device Fingerprinting (Seon/Iovation) · IP Geo-fencing · Residential Proxy Detection NZ: Detection of VPNs to bypass jurisdiction limits is mandatory for bonus abuse mitigation. LAYER 5: TRANSACTION SECURITY (3D SECURE 2.0) Velocity Limits · BIN Validation · AVS Matching · 3DS Risk-Based Authentication NZ: Mandatory 3DS 2.0 implementation to defend against chargeback disputes on MCC 7995. LAYER 4: IDENTITY RESOLUTION (KYC) Biometric Liveness · automated OCR · exact legal name matching against DIA databases NZ: R18 age threshold verification must be successful BEFORE first deposit triggers. LAYER 3: CORE RISK ENGINE (MACHINE LEARNING) RISK ACTION: Aggregate data (L4-L6) into dynamic Risk Scores (0-100) Score >80: Instant withdrawal lock + automated alert for manual AML analyst review. LAYER 2: AML & ENHANCED DUE DILIGENCE (EDD) PEP/Sanctions Screening · Source of Funds (SOF) · Wealth Verification Audits NZ AML/CFT ACT: SOF documentation required immediately upon breaching spend thresholds. LAYER 1: REGULATORY REPORTING & AUDIT GoAML Integration · Suspicious Activity Reports (SAR) · DIA Quarterly Audit Logs NZ LAW: SARs must be filed within 3 working days to the NZ Police FIU. Criminal liability for failure. ⚠ SYSTEM REALITY: Security layers must communicate in <200ms. A failure at L6 bypasses the entire funnel.

The fraud architecture stack makes a crucial point visible: Layer 2 — the AML and EDD layer — relies entirely on the data gathered by the layers above it. In a legacy casino stack, risk checks often only happen at the point of withdrawal, but in a modern threat landscape, the security layer must wrap around the very first interaction. A player who connects via a residential proxy (detected at Layer 6) and attempts to use a prepaid card (detected at Layer 5) has generated risk alerts before an account is even fully registered. Operators who build payment gateways without a centralised Risk Engine (Layer 3) to process telemetry from all other layers are essentially flying blind. They rely on manual detection, which is mathematically impossible to scale. Under New Zealand's incoming licensing framework, proving to the DIA that your platform natively detects and isolates high-risk payment behaviour is a prerequisite to holding a licence.

Author's tip from James Whittaker, Senior Fraud & Risk Analyst | Payment Security: "The biggest friction point operators face when entering New Zealand is balancing user onboarding with strict KYC mandates. The temptation is to delay verification to reduce drop-off, but this is a fatal error for payment security. If you allow a player to deposit via Visa without verifying their legal name against the cardholder name, you are opening the floodgates to chargebacks and third-party funding (a major AML red flag). My recommendation: use seamless, background verification tools like live database lookups during sign-up. Force 3D Secure on all initial card deposits. Yes, it adds a few seconds of friction, but winning a chargeback dispute requires proving liability shift, and 3DS guarantees that. Furthermore, pushing local bank-to-bank solutions like POLi significantly cuts out card network fees and completely eliminates chargeback risk."

What advanced fraud typologies and payment concepts does every New Zealand iGaming operator need to monitor?

Term Category Definition and Risk Relevance
Account Takeover (ATO) Cyber Fraud When a malicious actor gains access to a legitimate player's account (often via credential stuffing or phishing) to drain wallet balances or use saved payment methods. Mitigated by enforcing Two-Factor Authentication (2FA) and locking withdrawals if an unknown device logs in or a password is changed
Bonus Abuse / Gnoming Advantage Play The practice of creating multiple fake accounts to repeatedly claim welcome bonuses. Fraudsters use varying degrees of synthetic identities, altered physical addresses, and IP spoofing. Robust device intelligence and strict "one bonus per household/IP" rules are required to protect marketing budgets
Synthetic Identity Fraud Identity Forgery Creating a fake persona by combining real data (like a stolen NZ driver's licence number) with fake data (a new email and phone number). Unlike standard identity theft, there is no "real" victim to complain, making it harder to detect without advanced cross-referencing against credit bureaus and government databases
Third-Party Funding AML Violation When a player deposits using a payment method (card, e-wallet, bank account) registered in someone else's name. This is a massive red flag under the NZ AML/CFT Act. Automated name-matching algorithms must block these transactions instantly to prevent the platform from acting as an unlicensed money transmitter
Card Testing / BIN Attacks Payment Fraud Fraudsters use scripts to rapidly attempt small deposits using thousands of stolen credit card details to see which ones are active. An unprotected cashier can process thousands of these per minute, resulting in massive gateway penalties and potential blacklisting by Visa/Mastercard
Suspicious Activity Report (SAR) Regulatory Requirement A formal document submitted to the NZ Police Financial Intelligence Unit when a transaction appears linked to criminal activity or money laundering. Tipping off the customer that a SAR has been filed is a criminal offense under NZ law, requiring delicate customer service handling when an account is frozen for investigation
Self-Exclusion Evasion Harm Minimisation Failure When a problem gambler attempts to bypass their own ban by registering with slightly altered details (e.g., "Jon Doe" instead of "John Doe"). The DIA views failure to detect self-excluded players as a severe breach. Fuzzy matching algorithms and shared national exclusion registers are vital controls
Smurfing / Structuring Money Laundering Breaking down a large sum of illicit cash into numerous smaller deposits specifically to stay below regulatory reporting thresholds (e.g., depositing $9,000 to avoid a $10,000 EDD trigger). Risk engines must calculate cumulative totals across days and weeks to detect structured deposits
IP Spoofing / Residential Proxies Evasion Tactic Using specialised software to route internet traffic through a legitimate domestic household IP address to bypass basic VPN blocks. Often used by international syndicates trying to claim NZ-specific bonuses or access games restricted in their true jurisdiction

Reading these typologies together reveals the central tension in risk management: the features that make payments frictionless and user-friendly are precisely the features that malicious actors exploit. Instant deposits and rapid withdrawals are commercially necessary, but they leave tiny windows for intervention. The operators who will succeed in NZ's regulated environment are not those who lock down their cashier to the point of frustrating legitimate players. Success comes from using dynamic risk friction: a low-risk VIP using a verified bank account experiences zero friction, while a new user connecting via a proxy attempting to use a prepaid card is instantly met with biometric KYC challenges and EDD document requests. Risk management is not about stopping all transactions; it is about applying the right amount of friction to the right profile at the exact right time.

The chart visualises a critical payment strategy: mitigating risk often means steering users toward inherently safer methods. Credit cards processed without 3D Secure offer great user experience but expose the operator to devastating chargebacks. Cryptocurrencies are irreversible (no chargeback risk) but carry immense AML compliance friction, requiring third-party wallet screening and complex SOF checks that cause massive user drop-off. For the New Zealand market, bank transfer solutions like POLi sit perfectly in the target zone: they are authenticated natively by the user's bank (eliminating chargebacks), the funds are cleared instantly, and the name attached to the bank account is easily verified against the casino profile to ensure AML compliance. Structuring the cashier to promote these optimal methods — perhaps by offering specific deposit bonuses or faster withdrawals — naturally de-risks the platform's payment flow without heavy-handed restrictions.

Author's tip from James Whittaker, Senior Fraud & Risk Analyst | Payment Security: "Handling Source of Funds (SOF) requests is an art form. It is the moment where compliance most violently collides with VIP management. When an algorithm flags a player who just deposited $15,000, the worst thing you can do is instantly freeze the account and send an automated, robotic email demanding their tax returns. You will lose the player forever. Instead, integrate SOF gathering into the customer service flow. Have a trained VIP host reach out personally. Frame the request as a regulatory requirement to protect their account, not as an accusation. Provide a secure, encrypted portal for document upload — never ask for bank statements via unencrypted email. The operators who handle EDD with a white-glove approach retain their high-value players; those who treat it purely as an administrative checkbox destroy their own LTV (Life Time Value)." REAL-TIME TRANSACTION RISK DECISION ENGINE Automated Fraud Screening Architecture • Logic & Governance Matrix INPUT SIGNALS Device: 0x4F.. IP: 103.22.NZ Proxy: Clear BEHAVIORAL ● Velocity: Low ● Lag: 42ms ● Auth: Strong L1 STATS BLOCKS: ● Card Test: 0.1% ● AML/3rd: 0.08% STEP-UPS: ● KYC Req: 1.2% ● SOF Req: 0.4% THROUGHPUT: 98.7% Approved L1 TRANSACTION PIPELINE Q1: VELOCITY LIMITS BREACHED? REJECT Q2: DEVICE/IP RISK SCORE > 80? KYC Q3: PAYMENT NAME MISMATCH? BLOCK Q4: BREACH AML/SOF THRESHOLD? EDD PAYLOAD CLEARED ✓ Submitted to Gateway System State: All validation layers active. Asynchronous risk processing enabled.

The transaction decision tree is the literal embodiment of automated compliance. Notice that the actual payment processor is not pinged until Gate 5. Every check before that—velocity, device footprint, third-party naming, and AML thresholds—is handled internally by the operator's Risk Engine. If you send fraudulent or mismatched transactions straight to your payment processor (e.g., Visa or Mastercard), you incur processing fees on failed transactions, ruin your merchant approval ratios, and flag your company as a high-risk liability to acquiring banks. Filtering the noise internally saves money and satisfies regulators. Furthermore, this tree highlights the interaction between system logic and human intervention. Not every flag is an auto-ban (e.g., Gate 2 and Gate 4). A changed IP address or a high deposit threshold triggers a temporary hold, routing the player to an analyst queue. This is the hallmark of mature payment security: automating the obvious rejections to free up human analysts to conduct nuanced investigations.

You must be 18 or over (R18) to play at any licensed NZ online casino. If gambling is causing concern for you or your whānau, free confidential support is available 24/7 — call 0800 654 655, text 8006, or visit safergambling.org.nz. Explore All Slots's platform at the home page, or log in to manage your account and deposit limits.

FAQ

What are "Free Spins"?
Turns on a game that don't cost any money. Any money you win is added to your balance at All Slots. A great way for players in New Zealand to win.
What is a "Jackpot"?
A very large prize that you can win on certain games at All Slots. Some grow bigger every time someone plays in New Zealand.
What is a "Deposit"?
When you add money to your account. You can use cards, e-wallets, or other local methods available in New Zealand for All Slots.
What is a "Withdrawal"?
This is when you take your winnings out. We send the money back to your bank or wallet in New Zealand from All Slots.
What is the "Balance"?
The total amount of money you currently have in your account to play with at All Slots in New Zealand.
What is a "Demo"?
A "play-for-fun" version. It uses fake money so you can practice for free at All Slots before betting real cash in New Zealand.
What are "Reels"?
The vertical columns that spin in a game. Most modern pokies at All Slots have 5 reels for you to enjoy in New Zealand.
What is a "Paytable"?
A list inside the game that shows you how much each symbol is worth and how the bonuses work at All Slots for New Zealand.
James Whittaker
James Whittaker
Senior Fraud & Risk Analyst | Payment Security
James is a cybersecurity specialist focused on protecting the financial integrity of online gaming platforms. He has a deep expertise in combatting bonus abuse, account takeovers, and synthetic identity fraud. James works closely with payment providers to integrate the latest biometrics and multi-factor authentication (MFA) standards. His professional insights help operators stay one step ahead of organized fraud syndicates while ensuring a smooth, low-friction experience for legitimate players. He is a frequent contributor to security whitepapers and industry-specific threat intelligence reports.
Download All Slots app Download App
Wheel button
Close
Wheel button Spin
Wheel disk
800 FS
500 FS
300 FS
900 FS
400 FS
200 FS
1000 FS
500 FS
Close
Wheel gift
300 FS
Congratulations! Sign up and claim your bonus.
Get Bonus