MissedComplianceProxy
Locance (LocationSmart) Ontario: real-money deposit with no identity check + detection rules exposed in API
Source. June 2, 2026 weekly sync.
Ticket. CIV-53: Locance (LocationSmart) Ontario — compliance and security gaps.
What we tested
Locance (LocationSmart), a geolocation provider active in Ontario. Two angles: the account-onboarding and deposit flow, and the content of the API response when connecting from outside the jurisdiction.
What happened
- ✗ No identity / location verification. A tester completed account registration and a real-money Interac deposit without ever being asked to verify identity or location — a step that should be mandatory under Ontario iGaming compliance rules.
- ✗ Detection logic exposed in plain text. Connecting from a
Singapore IP, the API response visibly named the exact detection
rules that were triggered — e.g.
IP proxy detected,IP hosting provider.
Why it matters
Two distinct problems on one provider:
- The identity-verification gap is a direct compliance failure. Completing a real-money deposit with no KYC step is a regulator-facing defect under Ontario rules.
- The exposed detection logic is a security weakness. Any technically sophisticated fraudster intercepting the response learns precisely which rules they need to evade, and can tune their attack accordingly.
Both findings are relevant for competitive positioning against operators considering Locance.
Cross-reference
- Locance profile → — capability and posture summary.
- Locance full validation is queued for an upcoming cycle (CIV-54) — see What's Next in the June 2 weekly sync.