Legal & Compliance Assessment

Restructuring Veriff KYC around first redemption

An assessment of the legal, regulatory and operational implications of moving POA, IDV and AML verification from the point of registration to the point of first SC redemption. Covers federal AML obligations, state sweepstakes law, UDAP exposure, payment-rail dependencies, and a recommended tiered control model.

Owner · Compliance · MetaWin.us Status · Draft for legal review Audience · Richard, Compliance, Product, Risk Version · 0.1 · May 2026
Internal Memo · Not Legal Advice
This document sets out a structured compliance view to inform a leadership decision. Any change to KYC architecture must be reviewed by external regulatory counsel in our priority states (CA, NY, FL, TX, IL, PA) and validated against current processor and Veriff contractual terms before implementation.
Contents
01 / SUMMARY

Executive summary

Position

Moving the Veriff document checks (POA + IDV) from registration to first redemption is legally defensible and operationally tractable. The architecture has three gates: a light eligibility screen at the form step (age, state, self-exclusion); a behind-the-scenes Veriff AML screen plus payment / wallet checks at first paid purchase; and full Veriff document KYC at first redemption or AMOE submission. AMOE entrants have no payment-rail identity signal, so the full document flow is the equivalent identity gate to what paid users get through their card / wallet / 3DS data at Tier 1c. The framing is "silent AML at first purchase, full Veriff at redemption or AMOE, nothing user-visible at registration".

Federal AML / BSA
Defensible to relocate document KYC
State sweepstakes law
No timing mandate, verify at award is fine
UDAP / consumer protection
Strongly mitigated by no-SC-from-bonus mechanic
OFAC / sanctions
Strong trigger at first purchase, not registration
Veriff contract
Decompose AML / IDV / POA pricing
Processor expectations
Brief Worldpay / Nuvei / crypto rails
Legal defensibility
High
If AML stays at registration
UDAP / AG risk
Low–Medium
Form data + AML screen materially mitigate
Sanctions / OFAC risk
Controlled
Provided AML screen retained pre-purchase
Existing form data does the work

The registration form already collects name, date of birth and state between T&C acceptance and Veriff. That data is sufficient for an OFAC / sanctions name screen, a self-exclusion register lookup, a state-eligibility check and an age check, all without needing document verification. The form becomes the load-bearing identity layer at registration; Veriff's document checks move downstream.

The GC 10,000 bonus has no redemption path

SC cannot be won from GC gameplay. SC is only credited as a free bonus alongside a paid GC purchase. That means the free GC 10,000 sign-up bonus is entertainment-only value; a user with only the free GC can never reach a redemption attempt. This collapses several risks that would otherwise apply: there is no zero-purchase redemption path, no path for a sanctioned person or minor to extract value from the platform without first making a purchase (which triggers our payment-rail controls), and no straightforward bonus-harvesting model that ends in cash. The first real value-out moment is the first SC redemption, which is the natural Tier 2 trigger.

!
First purchase is the meaningful gate

Because SC only enters via purchase, the moment a user buys their first GC pack is the moment they acquire redemption-capable currency. That is the operational equivalent of "value moving" on the platform: from this point forward the user holds SC that can ultimately be redeemed for cash. Tier 1c controls (BIN match, OFAC re-screen, state recheck for prohibited and SC-restricted states, Chainalysis wallet screen for crypto) need to fire at this step, not at redemption. By the time redemption is requested, the SC has already been issued.

02 / CONTEXT

Current state & proposed change

Current registration flow

Today
01 Sign Up + Auth Wallet / Google / Email
02 Accept T&Cs Consent capture
03 Name · DOB · State Self-declared form FORM
04 Veriff: POA + IDV + AML All three checks KYC NOW
05 GC 10,000 credited Sign-up bonus VALUE
06 Play / GC purchase Money in
07 SC redemption Money out

Recommended target flow

Recommended
01 Sign Up + Auth + T&Cs Geo · age affirm · device fingerprint
02 Name · DOB · State (existing) Self-declared form, now load-bearing TIER 1a
03 Light screen Age · state routing · self-exclusion TIER 1b
04 GC 10,000 + free play No redemption path PLAY ONLY
05 First GC purchase Silent AML · BIN · wallet · risk TIER 1c
06 Trigger thresholds Spend · velocity · risk score
07 Redemption or AMOE Full Veriff POA + IDV TIER 2
04 / DEFENCE

Where the change is defensible

A1
Sweepstakes statutes don't mandate KYC timing
State sweepstakes law regulates disclosure, AMOE parity, odds and prize fulfilment, not the moment of identity verification. Our obligation is to confirm the winner's identity at the point of award. Moving POA + IDV to redemption aligns directly with that.
Strength Strong Authority State sweepstakes statutes
A2
Federal CIP doesn't attach to a free social account
BSA / CIP obligations under 31 CFR 1020 attach to financial institutions opening accounts. We're not a licensed casino under 31 CFR 1021, and creating a free Gold-Coin account isn't a financial-account opening. The financial relationship arguably begins at the first cash-equivalent movement, with redemption the cleanest trigger for full CIP-style verification.
Strength Strong Authority 31 CFR 1020 / 1021
A3
IRS reporting is naturally redemption-gated
W-9 / 1099-MISC obligations crystallise at the $600 aggregate prize threshold. We cannot file a 1099 without a TIN, so collecting full identity at redemption aligns the IRS workflow with the Veriff workflow; no duplication, no orphan data on losers.
Strength Strong Authority IRC §6041
A4
Industry precedent supports the model
VGW (Chumba, LuckyLand, Global Poker), Stake.us, McLuck and others operate variants of tiered or redemption-staged KYC. This is not outlier behaviour; it has become the industry norm precisely because friction at registration kills funnel conversion. A move in this direction would not be unusual in the eyes of a regulator.
Strength Moderate Authority Industry practice
A5
POA at registration is industry-light by default
Proof of address is the heaviest piece of friction in the current Veriff flow and the one with the weakest legal justification at registration. Address verification is most defensibly tied to prize fulfilment (where the prize physically or financially lands), not to account opening. Moving POA to redemption is the easiest leg of the change to defend.
Strength Strong Authority Operational logic + benchmarking
05 / RISK

Where risk concentrates

These are the risks that the working-group should treat as load-bearing in the design. They are ordered roughly by exposure severity. Each card identifies the specific failure mode and the mitigation that takes it from unacceptable to tolerable.

OFAC / sanctions screening
Controlled
OFAC is strict-liability. The strongest sanctions trigger on the platform is the first paid purchase: that's when a card or crypto transaction is processed in the user's name and redemption-valuable currency (SC) enters their account. The Veriff AML check (PEP, watchlist, sanctions) runs silently behind the scenes as part of the payment authorisation flow at Tier 1c, on the form-captured name + DOB. No user-visible step.
MitigationSilent Veriff AML at Tier 1c (first purchase)
UDAP / state AG exposure
Reduced
Active AGs (NY, CA, MI, PA) and plaintiffs' firms can argue that allowing unverified users to purchase Gold Coins is itself unfair or deceptive. The retained form (name / DOB / state) plus an AML and self-exclusion screen at registration materially reduces this exposure compared to a "no checks until redemption" model. The residual risk is around document-level verification of state (POA), not the existence of any identity at all.
MitigationRetain form + AML; written state-by-state counsel memo
State eligibility & SC-restricted states
State-list breach
Two distinct state issues. Fully prohibited states (where MetaWin.us does not operate at all) need to be blocked at every value-moving step. SC-restricted states (CA, CT, ID, IL, LA, MD, MI, MT, NV, NJ, NY, TN, WA) allow GC purchase but not SC: users can play for entertainment but cannot redeem. The registration form captures declared state today, which lets us route users to the correct experience. The residual risk under the new model is users who declare a permitted state but actually reside in a restricted or prohibited one. Today Veriff's POA partially catches this; under the new model that check moves to redemption, so per-session geolocation and the Fingerprint coverage fix (MET-4235) carry more of the load.
MitigationPer-session geo; declared-state cross-check; SC-restricted routing; Fingerprint MET-4235
Self-exclusion & responsible-play evasion
RG exposure
Self-excluded individuals can register under variant names and bypass a declared-data check. Today Veriff's IDV is the document-level catch. Under the new model, the catch moves to redemption, meaning we'd discover the breach only after purchases, play and potential losses. The form's name + DOB can be cross-checked against the group-wide register at Tier 1b, which gets us most of the way but not all of it.
MitigationTier 1b: name+DOB cross-check against group-wide self-exclusion register
Crypto on-ramp risk
FinCEN CVC scope
Crypto-funded purchases without identity context are higher-risk than card-funded purchases. FinCEN's 2019 CVC guidance and the Travel Rule (≥$3,000) put wallet-level screening squarely at the purchase-funding step. The Chainalysis integration (MET-2020) handles the wallet leg; identity can still move, but the wallet risk score cannot.
MitigationChainalysis wallet screen mandatory at purchase; identity at Tier 2
Chargeback & first-party fraud
Processor pressure
Unverified purchase flows are correlated with higher chargeback rates (friendly fraud, account-takeover, bonus abuse). Visa VAMP / Mastercard ECP thresholds are unforgiving, and a sustained spike risks processor placement.
MitigationBIN/billing match at Tier 1; velocity rules; risk-model gating
Redemption-stage abandonment
Player-trust risk
Asking for POA + IDV + AML only when a player tries to redeem creates a high-friction moment at exactly the wrong point in the lifecycle. Expect Trustpilot / SweepsKings reviews complaining that "MetaWin won't pay out" if the redemption-stage KYC is not communicated upfront, handled fast, and signposted in T&Cs. Reputationally this is the second-most-likely failure mode.
MitigationPre-redemption KYC nudge; clear T&C language; sub-24h Veriff SLA
Veriff contractual / volume model
Commercial
Our Veriff contract (running to August 2026) is priced on registration-stage volume. Moving to a smaller pool of redemption-only checks may breach minimum-volume commitments or, more positively, reduce overall cost. POA is the weakest line item, already flagged in our benchmarking.
MitigationReopen Veriff commercial terms ahead of August renewal
06 / VENDOR

Veriff-specific considerations

Veriff currently runs three distinct checks at registration. The relocation question is not "all three at redemption"; it should be decomposed by check. Each line is independently movable, and the legal logic for each is different. Crucially, the registration form already collects name, DOB and state: exactly the inputs the AML check needs to run, whether it runs at registration or at first purchase.

Check What it verifies Inputs needed Recommended timing Move to redemption?
AML Sanctions / PEP / watchlist screening Name + DOB (already captured in the form today) Tier 1c (first paid purchase), runs silently as part of the payment authorisation flow. This is when SC (the only redemption-valuable currency) first enters the account. No user-visible step. Moves to purchase
IDV Government ID + liveness / similarity Document upload · selfie · device camera Move to Tier 2 (redemption) for the full document + liveness flow. Skipped entirely for users who never redeem. Yes
POA Proof of current residential address Document upload (utility bill, bank statement) Move to Tier 2 (redemption). POA has the weakest registration justification and the highest friction cost. Yes
The decomposition is clean

Because SC only enters via paid purchase, the AML screen's strongest legal trigger is the purchase event, not registration. The full Veriff stack moves out of the registration flow entirely: AML runs silently at Tier 1c (first purchase) as part of the payment authorisation flow, POA + IDV run at Tier 2 (first redemption). Tier 1b at the form step uses internal systems (self-exclusion DB, age math, state list); no Veriff call required. Frame this as "run AML behind the scenes at first purchase, POA + IDV at first redemption, nothing at registration".

07 / MODEL

Recommended tiered model

The defensible architecture replaces a single, all-or-nothing Veriff gate at registration with three escalating tiers. Each tier collects the minimum identity signal required for the next type of activity, and full Veriff KYC sits at the redemption gate.

Tier Trigger Controls Vendor / system
Tier 0
Pre-form
Sign-up → auth → T&Cs Email confirmation · Age affirmation (21+) · Geolocation · Fully prohibited-state block · Device fingerprint capture · T&C / privacy / RG consent Fingerprint · Geocomply / internal geo
Tier 1a
Form (existing)
Form step, already in flow Self-declared name · DOB · state. No new tech required; this step already runs today. MetaWin.us registration form
Tier 1b
Light eligibility
On form submission, before bonus credit Age check (DOB-derived) · group-wide self-exclusion register lookup · state-of-residence eligibility check (block fully prohibited states; flag SC-restricted-state users for GC-only experience) · risk-model evaluation (initial). All silent / synchronous. Pass required before GC 10,000 bonus credits. No Veriff call at this stage. Self-exclusion DB · internal risk model
Bonus gate
Play-only value
Tier 1b pass GC 10,000 sign-up bonus credited. User can play. No redemption-valuable currency (SC) in account yet, only entertainment value. Until this gate passes, the bonus is not credited and play is not possible. MetaWin.us platform · loyalty system
Tier 1c
First purchase
First GC purchase (card or crypto) Behind-the-scenes Veriff AML / sanctions / PEP screen on form-captured name + DOB · BIN-to-billing match (card) / Chainalysis wallet risk screen (crypto) · 3DS · state recheck (block fully prohibited; suppress SC for SC-restricted) · re-evaluate risk model with payment data. All silent: no user-visible step beyond standard payment authorisation. This is the heavyweight gate for paid users because this is the moment redemption-valuable currency (SC) first enters their account. Payment-rail data (card, BIN, 3DS) supplies corroborating identity alongside the AML screen. Veriff AML standalone (decomposed) · Chainalysis · processor 3DS · internal risk model
Tier 2
Redemption or AMOE
First SC redemption or AMOE submission Full Veriff POA + IDV + AML re-screen · TIN collection (W-9) · document liveness · source-of-funds questionnaire for higher tiers · withdrawal payment-method ownership check. AMOE submission triggers the full stack: AMOE entrants have no payment-rail identity signal, so the Veriff documents do all the identity work. SC is not issued via AMOE until Tier 2 clears. Veriff full stack · IRS workflow · payment-rail KYC

Why this structure

The gates align with the user's lifecycle. A light eligibility screen (Tier 1b) gates the play-only bonus; a behind-the-scenes Veriff AML screen plus payment / wallet checks (Tier 1c) fire at the moment a paid user purchases their first GC pack; and full document KYC (Tier 2) gates the moment a user attempts to extract value as cash via redemption, or to obtain SC via the AMOE path. AMOE submission triggers the same full Tier 2 stack as redemption because AMOE entrants have no payment-rail identity signal: the document KYC is the equivalent identity gate to what paid users provide through their card or wallet data at Tier 1c. The user experience at registration is unchanged from today (same form, same wait), but Veriff drops out of the registration flow entirely.

08 / FUTURE WORK

Optional early-KYC triggers (future)

The redemption gate is the load-bearing KYC moment in the model. It is the right default, and in most cases sufficient on its own. Over time we may want to introduce a small number of early-KYC triggers that pull full Veriff verification forward to before redemption when a user shows signals of risk. This section is a placeholder for that work, not a launch commitment. The capabilities are already in our stack or planned; what's missing is the policy framework, thresholds and counsel sign-off.

Candidate signals to develop into early-KYC triggers, all behavioural rather than spend-based:

i
Out of scope for the initial launch

None of this is required for the v1 restructure. Redemption-gated full Veriff plus the Tier 1 / 1c controls already in scope are sufficient. Early-KYC triggers are a v2 conversation, sequenced after the launch has bedded in and we have telemetry on which signals actually correlate with bad outcomes at redemption. Thresholds, weightings and the cost of a Veriff pull all need to be quantified against real data, not picked in advance.

09 / OPEN

Open questions for counsel

The following questions should be put to external regulatory counsel before sign-off and used as the structure for the formal memo.

  1. UDAP risk per priority state. Does our Tier 1 control set (form + light eligibility gate + AML at first purchase) materially reduce the risk of a deceptive-practices claim in NY, CA, MI, PA, FL, TX, IL? Are there state-specific carve-outs we need to build in?
  2. State sweepstakes statute review. Are there any state sweepstakes statutes (or AG guidance) that read implicitly as a "verify at registration" mandate, even though they don't say so on the face of the text?
  3. OFAC perimeter. Confirm that running the Veriff AML / sanctions screen silently at first purchase (Tier 1c, inside the payment authorisation flow) is sufficient given that the play-only bonus GC cannot produce redemption-valuable currency without a paid purchase.
  4. Bonus as value transfer. Confirm: is the free GC 10,000 a "transaction" or "value transfer" for OFAC purposes, given that it has no redemption path on its own? Our expectation is no, but we want this in writing.
  5. AMOE consideration analysis (priority). The proposed model requires full Veriff (POA + IDV) at AMOE submission, while paid first-purchase only triggers a silent AML screen. The asymmetry is justified by identity-signal equivalence (paid users supply card / BIN / 3DS data; AMOE users supply none, so the document KYC is the equivalent identity gate). Confirm this reasoning holds across CA, NY, FL, TX, IL, PA, MI; flag any state where requiring documents from AMOE entrants but not paid entrants creates a consideration problem.
  6. SC withholding enforceability. Are our proposed T&C changes to permit withholding of SC where Tier 2 KYC later fails enforceable in our priority states? Any consumer-protection limits we should know about?
  7. Self-exclusion exposure. What is our liability if a self-excluded individual receives the free GC, plays for entertainment value, but never purchases? Is Tier 1b cross-checking adequate?
  8. Veriff & data-minimisation. Are there CCPA / CPRA implications of collecting full Veriff data at redemption from users who registered months earlier under a lighter privacy notice? Do we need a re-consent step at Tier 2?
  9. Card-network rules. Are there Visa / Mastercard scheme-rule positions on unverified customers transacting (especially for "high-risk" merchant categories) that override our legal analysis?
  10. Crypto on-ramp. What is the FinCEN / state-MSB position on unverified-identity crypto-funded purchases accompanied by Chainalysis wallet screening? Is the Tier-2-on-redemption identity model defensible on the crypto side as well as the fiat side?
  11. Marketing claims. Do our existing marketing claims ("verified", "safe", "secure") need to be revised if a meaningful proportion of accounts will be unverified for an extended period?
i
Next step

Once counsel responses are in, this document should be re-issued at v1.0 with the counsel positions inlined and the Tier 1 / Tier 2 control lists locked. From there it becomes the source-of-truth for the engineering scope and the input to a single Jira epic (proposed: MET-KYC-TIER) alongside the existing MET-2529 risk-model work.