They should treat multi-accounting as a cross-journey identity correlation problem, not just a registration issue. The strongest controls connect onboarding, device, payment, and session signals so one person cannot look like many customers. Shared watchlists, consistent risk thresholds, and escalation paths between partners are essential when volume spikes.
Why This Matters for Security Teams
During major sporting events, multi-accounting stops being a narrow fraud case and becomes a high-speed identity correlation problem. Betting operators need to decide whether two registrations, two devices, and two payment methods are actually the same person trying to evade limits, bonuses, or self-exclusion controls. That is a governance issue as much as a detection issue, because fragmented identity evidence creates blind spots across onboarding, wagering, and payouts.
Current guidance suggests treating the customer journey as one linked risk surface, not as isolated account events. That means correlating device intelligence, payment instruments, behavioural patterns, and session history under consistent rules. It also means aligning controls with broader identity governance principles described in the NIST Cybersecurity Framework 2.0 and with NHIMG’s identity research in Ultimate Guide to NHIs, especially where identity sprawl and weak lifecycle control amplify abuse.
The practical risk is not only bonus theft. Multi-accounting can mask underage gambling, sanctions evasion, collusion, chargeback fraud, or evasion of responsible gambling interventions. In practice, many security and compliance teams encounter coordinated account abuse only after event-day losses and dispute volume have already spiked.
How It Works in Practice
Effective handling starts with a cross-journey identity model that links accounts by more than email or phone number. Operators should combine onboarding checks, payment fingerprints, device telemetry, IP and network patterns, and session behaviour into a single risk view. The goal is not to reject every duplicate signal, but to make it difficult for one person to appear as many low-risk customers.
In operational terms, that usually means:
- Applying real-time correlation rules at registration, deposit, withdrawal, and promo redemption.
- Using step-up verification when several weak signals cluster around one device, payment instrument, or location.
- Maintaining shared watchlists across brands, partners, and internal fraud teams so repeat abuse is not relearned during each event.
- Setting common thresholds for alerts, account holds, and manual review so controls do not vary by channel.
- Preserving evidence trails that show why accounts were linked, since appeals and regulatory reviews often depend on explainability.
This is where policy discipline matters. Operators should define what constitutes a material linkage, how long correlation evidence is retained, and when escalation moves from fraud operations to compliance or responsible gambling teams. For broader identity lifecycle lessons, NHIMG’s Ultimate Guide to NHIs is useful because the same failure pattern appears whenever identities are multiplied faster than they are governed. The control model should also map to the detection and response discipline in the NIST Cybersecurity Framework 2.0.
These controls tend to break down when operators run fragmented brand stacks, because identity evidence is trapped in separate products and duplicate detection loses context during peak-event traffic.
Common Variations and Edge Cases
Tighter multi-accounting controls often increase customer friction, requiring operators to balance fraud reduction against conversion loss and regulatory scrutiny. That tradeoff is especially visible during major sporting events, when legitimate sign-ups and first-time deposits also spike.
There is no universal standard for this yet, but current guidance suggests several common exceptions need explicit handling. Household sharing can resemble collusion, especially when multiple bettors use the same network or payment family. Syndicate betting may look like coordinated abuse unless account relationships are documented. Travel, mobile networks, and VPN use can also produce false positives if device and behavioural evidence are not weighted correctly.
Operators should therefore separate hard blocks from soft friction. A high-confidence link may justify account restriction, while a lower-confidence match may only trigger enhanced due diligence or deposit limits. During peak events, escalation paths must be fast enough to prevent abuse without causing review queues to back up. The strongest programs also coordinate with payment providers and other operators when patterns suggest repeat abuse across brands, because isolated action often just displaces the problem.
In practice, the hardest failures appear when event-day volume rises faster than review capacity, because the business then accepts inconsistent decisions that fraudsters quickly learn to exploit.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Identity evidence must be correlated across journeys to detect repeat abuse. |
| NIST CSF 2.0 | DE.CM-1 | Event-day monitoring is needed to spot coordinated multi-accounting patterns quickly. |
| OWASP Non-Human Identity Top 10 | NHI-06 | Account linkage and lifecycle abuse mirror identity sprawl and weak governance issues. |
Treat duplicate customer identities as a lifecycle control problem and enforce consistent linking rules.
Related resources from NHI Mgmt Group
- How should security teams handle identity verification during login for regulated applications?
- How should security teams handle risks from AI browser extensions?
- How should teams handle secrets that have no obvious owner?
- Who is accountable when a manipulated identity authorises a major crypto transfer?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
