Access Authorization Technologies for Regulatory Compliance
Virtual Checkpoint™ is the only solution capable of evaluating and authorizing user access by residency, location, and/or age based on dynamic permission and exclusion principles, and is the only solution that is capable of enabling operators to meet legal regulatory compliance on the Internet. Virtual Checkpoint™ is able to process jurisdictional data, using access authorization controls that are able to process any level or combination of permission and exclusion criteria and any combination of user location and residency information at all jurisdictional levels. This is now known as "GeoFencing", which was first pioneered by NEMISYS NETWORKS™ as a functional solution in 2005.
Introduction
The advanced patented methods and processes of Virtual Checkpoint™ were developed utilizing multi-dimensional solutions matrices. Every possible outcome from every possible input must return results that are free of false positives. This system processes jurisdictional data input by operators and residency data input by users or location information retrieved from devices. The results are also verified through an Address Verification System (AVS) to verify the accuracy of the information provided by the user. Operators utilize permission and exclusion processes to configure the system based on the registrations, licensing, and permits they have acquired to operate an activity, thereby creating authorization policies within the system. Operators are currently responsible for configuring their own individual permissions and exclusions properly. Once the system has been configured by the operator, the system is able to process all user input data (Residency and Location Information) to determine authorization.
Virtual Checkpoint™ has been dubbed by many industry peers and professionals as the "Holy Grail" of Internet Regulation. Prior to the invention of Virtual Checkpoint™, there was no way for regulated industries to determine if an Internet user was legally permitted to access information or partake in activities. Websites have had to resort to basic forms, form objects, and disclaimers that give the false impression of compliance without a truly proactive and functional authorization and verification process that guarantees compliance. A process of authorization and verification that addresses all possible outcomes through methods and processes that acknowledge all jurisdictional levels to determine authorization and the verification of user information is required. Depending on the activity in which an organization is engaged, additional regulations specific to the activity may also apply. There is much more that must be done beneath the surface to maintain regulatory compliance, and any process that does not address all levels of jurisdictional governance authorization and verification is flawed. Also disclaimers, although recommended in any scenario, are a slippery slope and do not override law.
Understanding Verification and Authorization
There is a clear and defined distinction between verification and authorization. Understanding what they are and how they are used is critical to the application of methods and processes within a greater system for effective access control. Both need to be used together and need to be utilized continuously to maintain jurisdictional regulatory compliance.
VERIFICATION (GeoLocation)
Methods of verification include all methods of validating and confirming the accuracy of user and device data. Verification processes are utilized to determine if data is true or false. Verification methods and processes also attempt to establish accurate user residency and device location information. Verification can occur either prior to authorization, after authorization, or during authorization of user access, as well as whenever a user alters their information.
AUTHORIZATION (GeoFencing)
Authorization methods require the establishment of access authorization policies and controls, and utilize processes to evaluate user and device data to determine access permission or denial based on access controls, policies, and configurations within a system. Permission and Exclusion criteria are used to establish these policies for Location, Residency, and Age. User and device data are evaluated against these access authorization policies to determine access authorization. Authorization can occur either prior to verification, after verification, or during verification of user or device data, as well as whenever a user alters their information.
Utilized together, Verification and Authorization processes can create an effective access control system that is capable of reliable jurisdictional access allowance or denial.
Understanding User Location and Residency
On the surface this may seem simple, but don’t be fooled by snake oil salesmen. There are major differences in technologies, methods, and processes used to acquire user location and residency, all of which have their strengths and weaknesses. To understand the feasibility of each of the currently available methods for the acquisition and verification of user location and residency, we must examine them individually and determine their plausibility in virtual regulatory environments. There is also a substantial difference between authentication and authorization, where authentication of a location is a verification of location data and authorization is the determination of access permission or denial. The following are the results of extensive performance testing of various technologies, methods, and processes.
METHODS OF VERIFYING USER LOCATION
The reality of acquisition and verification of physical user location is a grey area in virtual environments. It is not the user’s location that is being acquired and verified, it is the location of the device the user is utilizing. Devices can be programmed to transmit false data or can be placed in a location and accessed remotely. This is simply the reality of mobile and device GeoLocation technologies.
The utilization of Internet Protocol Address (IP Address), Wireless Local Area Networks (WLAN or WiFi), Global System for Mobile Communications (GSM), Global Positioning System (GPS), and Mac Address are methods of location identification that can all be spoofed or altered, and the use of proxy or remote access programs can render these technologies useless for determining user location. Since all of these technologies are subject to the same types of vulnerabilities to reliability, whether you utilize one or all of these technologies together, they may not be plausible identifiers for user location, even thou they may be able to locate a device. Virtual Checkpoint™ has been designed to use any and all identifiers for a location as mentioned here, but choosing which are plausible, if any, is dependent on each individual business, market, and/or regulatory environment.
METHODS OF VERIFYING USER RESIDENCY
Utilizing user residency is a much more effective and reliable solution for regulating online activities by jurisdiction. User residency information can be acquired from a variety of data sources such as Financial Records and Accounts through financial institutions, Drivers Licenses, Physical Face-to-Face Registration, and Postal Application Registrations. Some of these methods do come with their own short comings, for example not everyone has a driver’s license, and physical face-to-face or postal application registrations lack the necessary redundant perpetual verifications. Of these methods of residency verification, the most reliable method of user verification in a virtual environment is the verification of user residency utilizing financial systems during financial transactions. In fact, financial institutions utilize all of the above mentioned methods and more when individuals setup financial accounts, which makes them pre-verified prior to engaging any system. Utilizing financial transactions as baseline triggers for authentication and authorization validations also provides the redundant perpetual verifications necessary in the maintenance of continued regulatory compliance.
Utilizing user residency over user location is a far more reliable method of regulation and control. Residency is far more difficult to circumvent and often involves an individual committing multiple frauds across multiple industry and governmental regulations. Using user residency as a determinant is also a superior method of regulating jurisdictional activities since each individual jurisdiction only has jurisdiction over its own residents and operators. Residency is also specific to a user, not a device. For this reason, we tend to favor the use of user residency over device location for regulated market sectors as a more reliable protection of operators, even as Virtual Checkpoint™ is capable of utilizing any form of location data to determine access authorization. We prefer to utilize the greatest amount of risk mitigation for our user operators in each industry as necessary.
The Solution for Raffle America™
In a perfectly honest world, all of the above methods for user location and residency verification have their merits. Unfortunately we do not live in a perfectly honest world, and betting your business on the integrity of strangers is foolish to say the least. Although none of these methods are absolute, we must utilize only the most plausible methods from what is currently available under the most feasible conditions. The following are our preferred methods for the non-profit sector derived from our extensive research and experience with the non-profit regulatory and reporting environment, and should not be construed to limit the capabilities of Virtual Checkpoint™ and its technologies.
CLOSED LOOP NETWORK: RaffleAmerica.com™ is a closed loop network which requires users to register and create an account to partake in fundraising activities, with the exception of donations which are open to the public. RaffleAmerica.com™ utilizes redundant authorization and validation methods and processes to establish policies and procedures that are reasonably designed to identify and block or otherwise prevent or prohibit restricted transactions.
ONLINE: Financial records, account data and Address Verification Services (AVS) are utilized to verify user residency at points of financial transactions on Internet browser interfaces on a continuous basis to ensure the continued maintenance of regulatory compliance. User residency data is also processed utilizing access authorization policies, procedures, and controls established within the system either prior to verification, after verification, or during verification of user residency, as well as whenever a user alters their information.
OFFLINE: Live Point of Sale (POS) transactions where a physical face-to-face transaction occurs between a physical operator and a physical user conform to traditional in-person transaction activities. Because the operator is physically present to witness and verify the user, no additional solution is required. It is the responsibility of the operating organization to ensure offline tickets are sold within the governing jurisdiction of the drawing location. as these transactions occur outside of the RaffleAmerica.com™ platform. Offline Raffle and Event ticket sales can be added to the system database for accounting and records keeping, as well as ticket printing for any drawing pool.
Virtual Checkpoint™ is a United States Patented solution licensed exclusively to RaffleAmerica.com and its private labeled branded solutions by NEMISYS NETWORKS™ for the purpose of charitable fundraising. Virtual Checkpoint™ is a Trademark of NEMISYS NETWORKS™. NEMISYS NETWORKS™ actively pursues the protection of its Intellectual Property Rights.
Visit us at RaffleAmerica.com to learn more.